Securing Embeddings: Encryption and Data Hygiene
Understand the risks of 'Embedding Inversion' and learn how to encrypt your vector data at rest and in transit.
Securing Embeddings: Encryption and Data Hygiene
Can a list of numbers be dangerous? Yes. Researchers have shown that it is possible to "Invert" an embedding vector to reconstruct the original text. If you store a vector of a patient's medical record, an attacker might be able to regenerate the text of that record just by having the vector.
In this lesson, we learn how to treat vectors as Sensitive Data.
1. Encryption in Transit (TLS)
Every request to your vector database must happen over HTTPS/TLS.
- The Risk: "Man-in-the-Middle" attacks where an observer on the network sniffs the vectors being sent to the database.
- The Solution: All modern managed databases (Pinecone, Chroma Cloud) enforce TLS by default. Ensure your local self-hosted instances (Docker) also use SSL certificates.
2. Encryption at Rest
Your vectors are stored on a physical SSD in a data center.
- The Risk: Someone physically steals the drive from the server and reads the raw vector files.
- The Solution: Use AES-256 encryption at the disk level. Cloud providers (AWS/GCP/Azure) handle this automatically, but you should verify that your "Encryption Keys" (KMS) are managed correctly.
3. The "Inversion" Threat
If an attacker knows which model you used (e.g., text-embedding-3-small), they can train an "Inversion Model" to guess words that would produce a similar vector.
Prevention Strategies:
- Never store PII in Metadata: Metadata is often stored as plain text. If you put a user's Social Security Number in the metadata of a vector, you've defeated all your security.
- Dimension Reduction: Using PCA or other techniques to remove "Noise" from a vector can make inversion significantly harder while keeping search accuracy high (Module 8.4).
4. Implementation: Scrubbing PII (Python)
Before you send text to an embedding model, you must Scrub it.
import re
def scrub_pii(text):
# 1. Simple Regex to remove emails
text = re.sub(r'\S+@\S+', '[EMAIL_REDACTED]', text)
# 2. Simple Regex for Credit Cards
text = re.sub(r'\d{4}-\d{4}-\d{4}-\d{4}', '[CC_REDACTED]', text)
return text
# Ingestion Flow
raw_doc = "Email me at john@doe.com for the password."
safe_doc = scrub_pii(raw_doc)
vector = model.encode(safe_doc) # SECURE ENCODING
5. Summary and Key Takeaways
- Vectors are Confidential: Treat a vector with the same level of security as the raw text it represents.
- TLS is Mandatory: Never send vectors over unencrypted HTTP.
- Scrub Before Embedding: Once PII is embedded, it's very hard to "Un-embed" it. Sanitize your data at the source.
- Metadata is Plaintext: Assume anyone with "Reader" access to the DB can read all your metadata strings.
In the next lesson, we’ll look at Sensitive Data Risks and the "Hallucination" of privacy.