@plee It depends on what layer you want to encrypt: over the wire, at the storage layer, or at the property layer. There may also be other layers I'm overlooking, but these are not mutually exclusive and can be used in conjunction.
Encrypting over the wire is a matter of setting up TLS/SSL certificates and should be done regardless of which other solutions you choose here.
If you need to query the cleartext data, you'll need access to it within the query. If you're encrypting at the property layer, this would likely involve decrypting the property using a key you inject via the query parameters. Something like this:
WHERE decrypt(n.encrypted_value, $encryption_key) = $decrypted_value
decrypt could be a function provided by a Neo4j plugin. I wouldn't store the encryption key in the same database. Keep in mind, this would be an unindexed query (an index on
:MyNode.encrypted_value would not be used) so you should plan your queries around that.
The most common scenario I've seen is to encrypt the disk partition at the OS level. This way people who have direct access to the disk partition (for example, if it is reused when you remove the EC2 instance or EBS volume from your account without it being zeroed out) can't mine the disk for data, such as PII, passwords, etc. Encrypting a disk partition has a runtime I/O cost, though, so make sure it'll be fast enough for your needs if you do this.