Puede cifrar sus realms para asegurar que los datos almacenados en disco no puedan leerse fuera de su aplicación. Usted cifra el archivo Realm en disco con AES-256 + SHA-2 proporcionando una llave de cifrado de 64 bytes la primera vez que abre el realm.
Realm cifra y descifra datos de forma transparente con estándares Cifrado AES-256Utilizando los primeros 256 bits de la clave de cifrado de bits 512dada. Realm utiliza los otros 256 bits de la 512clave de cifrado de bits para validar la integridad mediante un código de autenticación de mensajes basado en hash (HMAC).
Advertencia
Do not use cryptographically-weak hashes for realm encryption keys. For optimal security, we recommend generating random rather than derived encryption keys.
Nota
Encripta un Realm al abrir o copia un Realm sin cifrar
You must encrypt a realm the first time you open it. If you try to open an existing unencrypted realm using a configuration that contains an encryption key, Realm throws an error.
Como alternativa, puede copiar los datos del dominio sin cifrar a un nuevo dominio cifrado mediante el método Realm.writeCopyTo(). Consulte Copiar datos a un nuevo dominio para obtener más información.
Cifrar un dominio local
To encrypt a local realm, pass your encryption key to the encryptionKey property in the RealmConfiguration.Builder() used to open the realm.
The following code demonstrates how to generate an encryption key and open an encrypted local realm:
// return a random key from the given seed fun getRandomKey(seed: Long? = null): ByteArray { // generate a new 64-byte encryption key val key = ByteArray(64) if (seed != null) { // If there is a seed provided, create a random number with that seed // and fill the byte array with random bytes Random(seed).nextBytes(key) } else { // fill the byte array with random bytes Random.nextBytes(key) } return key } runBlocking { // Create the configuration val config = RealmConfiguration.Builder(setOf(Frog::class)) // Specify the encryption key .encryptionKey(generatedKey) .build() // Open the realm with the configuration val realm = Realm.open(config) Log.v("Successfully opened encrypted realm: ${realm.configuration.name}") }
Encrypt a Synced Realm
Si tu aplicación utiliza Atlas Device Sync, puedes cifrar un realm sincronizado, similar a cifrar un realm local.
Para cifrar un reino sincronizado, pase su clave de cifrado a la propiedad encryptionKey en SyncConfiguration.Builder() utilizado para abrir el reino.
El siguiente código demuestra cómo abrir un realm sincronizado y cifrado:
val syncConfig = SyncConfiguration.Builder(user, setOf(Frog::class)) .initialSubscriptions { realm -> add(realm.query<Frog>()) } // Specify the encryption key .encryptionKey(generatedKey) .build() val realm = Realm.open(syncConfig) Log.v("Successfully opened encrypted realm: ${realm.configuration.name}")
Refer to Configure & Open a Synced Realm - Kotlin SDK for more information.
Encryption and Atlas Device Sync
Realm only encrypts the data on the device and stores the data unencrypted in your Atlas data source. Any users with authorized access to the Atlas data source can read the data, but the following still applies:
Users must have the correct read permissions to read the synced data.
Data stored in Atlas is always encrypted at a volume (disk) level.
The transfer between client and server is always fully encrypted.
You can also enable Customer Key Management to encrypt stored Atlas data using your cloud provider's key (e.g. AWS KMS, Azure Key Vault, Google Cloud KMS).
If you need unique keys for each user of your application, you can use an OAuth provider or use one of the Realm authentication providers and an authentication trigger to create a 64-bit key and store that key in a user object.
Encriptar Metadatos de la aplicación
You can also encrypt the App Services App metadata that Realm stores on the device.
Para obtener más información, consulta Cifrar metadatos de la aplicación.
Almacenar y reutilizar claves
You must pass the same encryption key every time you open the encrypted realm. If you don't provide a key or specify the wrong key for an encrypted realm, the Realm SDK throws an error.
Apps should store the encryption key securely, typically in the target platform's secure key/value storage, so that other apps cannot read the key. For example, you can use the Android Keystore system or Apple's Keychain. It is the developer's responsibility to ensure that attackers cannot access the key.
Impacto en el rendimiento
Las lecturas y escrituras en los "realms" cifrados pueden ser hasta un 10% más lentas que en los "realms" sin cifrar.
Access Encrypted Realms from Multiple Processes
Modificado en la versión 10.8.0.
Starting with Realm Kotlin SDK version 10.8.0, Realm supports opening the same encrypted realm in multiple processes.
If your app uses Realm Kotlin SDK version 10.7.1 or earlier, attempting to open an encrypted realm from multiple processes throws this error:
Encrypted interprocess sharing is currently unsupported.