FaceBook Data Security Best Practices and Authentication Issues

[markdwhite]

I manage a couple of older webapps that at some point have been converted to Laravel. They both allow login via email/password combinations or FaceBook logins, using Socialite for the latter.

FaceBook has advised me I need to confirm I meet the requirements for:

[A] Enforce encryption at rest for all Platform Data storage (e.g., all database files, backups, object storage buckets)

More clarification has not been forthcoming, and FB docs for developers tend to be self-referencing without really being clear. The inference here seems to be that any data provided by FaceBook via their API must be encrypted in the DB.

This can partly be achieved through casting certain User attributes to "encrypted" and applying this to the DB fields retrospectively for existing FB and non-FB users. However I don't see any obvious way of encrypting email address and still being able to use Laravel UI authentication in any fairly standard way. I can see how it could be made to work, though solutions seems to be onerous and rather awkward

As I find Laravel tends to offer straightforward ways of achieving routine functionality, and I don't think providing email/password logins is especially unusual, I'm surprised to find no information at all about how to work around this.

Am I mis-understanding the requirements here? Are others in a similar position not coming across these Data Protection Assessment requirements, or are they just telling FB "sure, everything's as it should be" and applying their own standard of security to user data?

[markdwhite]

Maybe misunderstood the requirements of "encryption at rest" and ended up using mySQL INNODB encryption along these lines. No code changes required.

https://dev.mysql.com/doc/refman/8.0/en/faqs-tablespace-encryption.html