Secure HAPI FHIR data at rest

Introduction

HAPI FHIR is an open source implementation of the HL7 FHIR standard for healthcare interoperability.

The easiest way to get started with HAPI FHIR is to use the HAPI FHIR JPA Server Starter Project.

In previous posts, we have worked to augment the HAPI FHIR JPA Server Starter Project in order to demonstrate secure access to FHIR resources.

Including:

• Support for OpenID Connect and OAuth 2.0 (e.g., SMART on FHIR)
• Secure HAPI FHIR data in transit

See: HAPI FHIR AU Starter Project

In this post, we'll use the Docker image of the Percona Distribution for PostgreSQL to encrypt data at rest.

Secure data at rest

Enable encryption

The Docker image of the Percona Distribution for PostgreSQL includes the pg_tde extension that provides data encryption:

  postgres:
    container_name: postgres  
    image: percona/percona-distribution-postgresql:17.5
    
    ...

    environment:
      ENABLE_PG_TDE: 1
      
      ...

See: docker-compose.yml

ENABLE_PG_TDE: 1 adds pg_tde to the shared_preload_libraries entry in the postgresql.conf file and enables the custom storage manager.

Connect to the container:

docker exec -it postgres bash

Start an interactive psql session:

psql -U admin -d hapi-fhir

Create the pg_tde extension in the database you want to encrypt:

\c hapi-fhir;
CREATE EXTENSION pg_tde;

Check the list of installed extensions:

hapi-fhir=# \dx
                 List of installed extensions
  Name   | Version |   Schema   |         Description          
---------+---------+------------+------------------------------
 pg_tde  | 1.0-rc  | public     | pg_tde access method
 plpgsql | 1.0     | pg_catalog | PL/pgSQL procedural language
(2 rows)

Configure a key provider:

SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_001_basic.per');

You should see something like:

 pg_tde_add_database_key_provider_file 
---------------------------------------
                                     1
(1 row)

Note: This sample key provider configuration is meant for development and testing purposes only, not production.

Set a principal key:

SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');

You should see something like:

 pg_tde_set_key_using_database_key_provider 
--------------------------------------------
 
(1 row)

Alter a HAPI FHIR table to enable encryption:

ALTER TABLE hfj_resource SET ACCESS METHOD tde_heap;

You should see something like:

ALTER TABLE

Check to see if the table is encrypted:

select pg_tde_is_encrypted('hfj_resource');

You should see something like:

 pg_tde_is_encrypted 
---------------------
 t
(1 row)

End your interactive psql session:

\q

Source Code

• GitHub: HAPI FHIR AU Starter Project

Resources

• Percona Distribution for PostgreSQL: Docker
• Percona Community Forum: pg_tde
• GitHub: Percona PostgreSQL - Test Case 001