Best asymetric encryption scheme for logging

Question

I am using java spring boot and adding functions to log exceptions.

Although I try to remove as much sensitive information as possible, I am trying to encrypt all logs that I store in case my server is breached (so no sensitive plaintext information is shown to hackers).

My plan originally was to encrypt all incoming exceptions and information about that incident using an RSA public key and store it in my database.

When it comes time for me to read through the logs, I can use my private key to decrypt the information and read it (obviously, we would never use symmetric encryption here, as if my server was hacked into, then the hacker would be able to decrypt my logs). Here comes the problem: RSA is very slow, due to it's bit length, and my server may really struggle or crash in the event of large loads of data logging.

Are there better asymmetric encryption schemes java supports that give the same amount of security that say RSA-4096 provides that are significantly quicker?

I tried ECDSA/ECDH, but that is only for signing stuff, not for string encryption and decryption.

Answer 1

I tried ECDSA/ECDH, but that is only for signing stuff, not for string encryption and decryption.

If you must, you can use ECDH:

• Have a securely stored EC keypair (A) (stored in some vault/secured keystore)
• Give A.pub to the application
• During runtime, generate a new EC keypair (B)
• With A.pub and B.priv generate a common secret key (symmetric)
• Store the B.pub in a database with keyId
• Encrypt logging with common secret (using AES-GCM) and include keyId in the logging so you know what key was used

(for next part you might want a separate application for decrypting the logs)

• When you want to read the logs: lookup B.pub in database with keyId.
• Get your A.priv from your secure place
• Regenerate common secret with A.priv and B.pub. (Given DH, this is same as the encryption key).
• Decrypt the logs with the common secret key (again, with AES-GCM)