Skip to content

Decision: plaintext face/voice embeddings stored + HNSW-indexed alongside ciphertext ("encrypted at rest" is illusory) #156

Description

@ahmetabdullahgultekin

From the 2026-06-02 DB review (P0-2), verified on origin/main: face_embeddings.embedding is a NOT-NULL plaintext vector(512) (Alembic 0001) with the HNSW search index built on it; embedding_ciphertext (Alembic 0005) is a nullable add-on column. pgvector cosine search requires the plaintext, so a leaked DB dump exposes raw biometric templates regardless of the ciphertext column — the at-rest encryption claim is not real for the searchable copy.

This is NOT a remote exploit (it requires DB-dump access) — it is a data-model / truth-in-claims decision:

  • A. Keep plaintext for search, relabel the ciphertext as an explicit "encrypted backup" and stop claiming "biometrics encrypted at rest" (cheap, honest).
  • B. Move to searchable/queryable encryption or app-side ANN over ciphertext and drop the plaintext column (large lift, real at-rest encryption).
  • C. Accept + document the posture (test-only system, owner is sole user).

Recommend A now (relabel + fix the public claims, see FIVUCSAS#184), B as a roadmap item. Pairs with FIVUCSAS#184 (truth-in-claims).

Metadata

Metadata

Assignees

No one assigned

    Labels

    decision/recommend-firstOwner decision needed before action (design/destructive)securitySecurity-sensitive correctness or hardeningsurface/biobiometric-processor (FastAPI/Python)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions