Puedes cifrar el archivo Realm en el disco con AES-256 + SHA-2 proporcionando una llave de cifrado de 64 bytes al abrir un realm.
Realm cifra y descifra datos de forma transparente con estándares Cifrado AES-256Utilizando los primeros 256 bits de la clave de cifrado de bits 512dada. Realm utiliza los otros 256 bits de la 512clave de cifrado de bits para validar la integridad mediante un código de autenticación de mensajes basado en hash (HMAC).
Advertencia
Do not use cryptographically-weak hashes for realm encryption keys. For optimal security, we recommend generating random rather than derived encryption keys.
Cifrar un reino llamando al set_encryption_key() función en su db_config:
// Check if we already have a key stored in the platform's secure storage. // If we don't, generate a new one. // Use your preferred method to generate a key. This example key is // NOT representative of a secure encryption key. It only exists to // illustrate the form your key might take. std::array<char, 64> exampleKey = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 2, 2, 0, 0, 0, 0, 0, 0, 3, 3, 0, 0, 0, 0, 0, 0, 4, 4, 0, 0, 0, 0, 0, 0, 5, 5, 0, 0, 0, 0, 0, 0, 6, 6, 0, 0, 0, 0, 0, 0, 7, 7, 0, 0, 0, 0, 0, 0}; // Store the key securely to be used next time we want to open the database. // We don't illustrate this here because it varies depending on the platform. // Create a database configuration. auto config = realm::db_config(); // Set the encryption key in your config. config.set_encryption_key(exampleKey); // Open or create a database with the config containing the encryption key. auto realm = realm::db(config);
Tip
You cannot encrypt a realm that already exists on device
The C++ SDK does not yet support encrypting a realm that already exists on device. You must encrypt the realm the first time you open it.
Almacenar y reutilizar claves
You must pass the same encryption key every time you open the encrypted realm. If you don't provide a key or specify the wrong key for an encrypted realm, the Realm SDK throws an error.
Apps should store the encryption key securely on the device so that other apps cannot read the key.
Impacto en el rendimiento
Las lecturas y escrituras en los "realms" cifrados pueden ser hasta un 10% más lentas que en los "realms" sin cifrar.
Encryption and Atlas Device Sync
Encrypt a Synced Realm
Puede encriptar un realm sincronizado.
Realm only encrypts the data on the device and stores the data unencrypted in your Atlas data source. Any users with authorized access to the Atlas data source can read the data, but the following still applies:
Users must have the correct read permissions to read the synced data.
Data stored in Atlas is always encrypted at a volume (disk) level.
The transfer between client and server is always fully encrypted.
You can also enable Customer Key Management to encrypt stored Atlas data using your cloud provider's key (e.g. AWS KMS, Azure Key Vault, Google Cloud KMS).
If you need unique keys for each user of your application, you can use an OAuth provider or use one of the Realm authentication providers and an authentication trigger to create a 64-bit key and store that key in a user object.
Encrypt Metadata
You can encrypt the metadata that Realm stores on the device. For more information, refer to Encrypt App Metadata.