260 likes | 502 Views
Session 130. Transparent Data Encryption. Richard Banville OpenEdge Fellow, Progress Software. Overview: Transparent Data Encryption (TDE). What Is TDE?. Transparent Application transparent data encryption Full index query support No need to move data Flexible
E N D
Session 130 Transparent Data Encryption Richard Banville OpenEdge Fellow, Progress Software
Overview: Transparent Data Encryption (TDE) What Is TDE? • Transparent • Application transparent data encryption • Full index query support • No need to move data • Flexible • Encrypt individual objects (tables, indexes, lobs) in Type II areas • Encrypt individual Type I areas • Storage engine encrypts blocks on disk (access neutral) • Secure • Provides secure encryption key storage • Limits access to physical data • Important piece of an overall data privacy strategy
Data Encryption How Does It Work? Encrypted Data Cipher Encrypt plain text Decrypt Cipher Key value makes it unique.
Data Encryption How Does It Work? Encrypted Data Cipher Encrypt plain text Decrypt Cipher Cipher Nonsensical data Encrypt Have a nice day z!$x;h@p$r#w!e Decrypt Cipher
Data Encryption How Does It Work? Encrypted Data Cipher Encrypt plain text Decrypt Cipher Cipher Nonsensical data Encrypt Having a bad day… ? #!~?;!@#$!#$#!! z!$x;h@p$r#w!e Decrypt Cipher
Data Encryption How Does It Work? Encrypted Data Cipher Encrypt plain text Decrypt Cipher
OpenEdge Transparent Data Encryption (TDE) How Does It Work? Database Storage Engine Write I/O Keys Encrypted Data Encrypt Shared Memory Buffer Pool (plain text block) & plain text Decrypt Policy Area Database Key store Read I/O Policies Product Install • Key store • Database Master Key (DMK) • Admin/User Passphrase • Manual/Automatic Authentication • Encryption Policy Area • Encryption Policies - What (object) & how (cipher)
OpenEdge Transparent Data Encryption (TDE) How Does It Work? Database Storage Engine Database Storage Engine Write I/O Keys Encrypted Data Encrypt Shared Memory Buffer Pool (plain text block) & plain text Decrypt Policy Area Database Key store Read I/O Policies Product Install • Key store • Database Master Key (DMK) • Admin/User Passphrase • Manual/Automatic Authentication • Encryption Policy Area • Encryption Policies - What (object) & how (cipher)
OpenEdge Transparent Data Encryption (TDE) How Does It Work? Database Storage Engine Write I/O Keys Encrypted Data Encrypt Shared Memory Buffer Pool (plain text block) & plain text Decrypt Policy Area Database Key store Read I/O Policies Product Install • Key store • Database Master Key (DMK) • Admin/User Passphrase • Manual/Automatic Authentication • Encryption Policy Area • Encryption Policies - What (object) & how (cipher)
Thing 1: TDE Availability • Transparent Data Encryption • OpenEdge product • First available in the 10.2B release • Requires two products be installed • Enterprise OpenEdge Database product • Transparent Data Encryption product
Thing 2: The Key Store The Most Critical Piece Of TDE • Stores the Database Master Key (DMK) • Makes encrypted data unique • Unique per database • File named: <dbname.ks> • Securing the DMK in the key store • Stored separately from db • Protected by passphrase based authentication • Not part of database backup (Why not?)
Thing 2: The Key Store The Most Critical Piece Of TDE • Loosing the keys to the kingdom: rm -f mydb.ks • Re-mastering your database master key (PBE cipher only) • Passphrases have predetermined rules • Advantages of DMK PBE • Can be regenerated • See previous advantage • Disadvantages of DMK PBE • Can be regenerated (less secure) • Needs large passphrase to be effective • Must remember passphrase
Thing 3: Encryption Policies Describes What And How To Encrypt • Policy Contents • Object to encrypt • Table, Index, Lob (Type II storage areas) • Area (Type I storage area) • AI and BI recovery • Cipher – algorithm & key size • Secure (Key store administrator & DB administrator) • Stored in “Encryption Policy Area” • User prevented from direct record access • Policy Maintenance • Epolicy tool, OpenEdge SQL, Data Admin tool • Add, remove, alter (cipher, key) online
DES-56/PBE DES3-168 AES-192 AES-128 RC4-128 AES-256 Performance Cost 0 – no encryption 10 DES-PBE DES-56 AES-192 AES-128 DES3-168 RC4-128 AES-256 Security Strength 0 – no encryption 10 Cipher Choice How do I decide? • Governance • Business rules • Your choice, your responsibility - balance strength & performance *Graphical data is relative
Enabling Encryption Easy as 1, 2, 3
Step #1: Enabling Encryption Create a Type II storage area for encryption policies • Named “Encryption Policy Area” • Any available user data area number will suffice Structure fileshowing example definition policy area e “Encryption Policy Area”:12,32;64 . f 10240 e “Encryption Policy Area”:12,32;64 . Add the encryption policyusing Prostrct Add prostrct addonline mydb mydb_epolicy_area.st Create a new structure filewhich includes new area prostrct list mydb
DB KS Step #2: Enabling Encryption proutil <dbname> -C enableencryption [-biencryptionenable | disable] [-aiencryptionenable | disable] [-Autostartuser | admin] [-Ciphercipher-number] • Doesnot encrypt any data • Decisions, decisions, decisions • AI and/or BI (online, offline) • Automatic vs manual key store authentication • Management vs security • DMK Cipher – security vs availability (PBE cipher) • Creates key store(<dbname>.ks) • User vs Admin key store accounts • Ready for encryption policy creation
Step #3: Policy Maintenance • Three ways to add policy • Proutil epolicy tool • Data Administration Tool • OpenEdge SQL DDL syntax
Step #3: Policy Maintenance • Three ways to add policy • Proutil epolicy tool • Data Administration Tool • OpenEdge SQL DDLsyntax • TI areas or TII Objects • Data lazily encrypted • Must update before cipher change proutil <db-name> -C epolicy manageobject-type encrypt | cipher | rekey<object-name> -Cipher <cipher #> proutil <db-name> -C epolicy manageobject-type update <object-name> Current and one previous policy allowed
Step #3: Policy Maintenance • Three ways to add policy • Proutil epolicy tool • Data Administration Tool • Disabled remotely • Type II “PUB” schema only • Type II “PUB” schema only • Multi select UI • Local access only • Admin Security Encryption Policies Edit Encryption Policies . . .
Step #3: Policy Maintenance • Three ways to add policy • proutil epolicy tool • Data Administration Tool • OpenEdge SQL DDL syntax CREATE TABLE | INDEX<name> ... [ ENCRYPT WITH <algorithm> ]. . .; ALTER TABLE | INDEX | COLUMN<name> SET [ ENCRYPT WITH <algorithm> | DECRYPT | ENCRYPT REKEY ]. . .; SHOW ENCRYPTON { ALL [ TABLE | INDEX | LOB ] | TABLE table-name [ WITH INDEX | WITH LOB ] | TABLE table-name ON INDEX index-name };
Performance Considerations • Maximize the buffer pool hit-rate • Increase -B • Consider using an Alternate Buffer Pool (-B2) • Normalize data to encrypt • Separate private and non private data • Read Codd • Isolate data to encrypt • Use Type II storage areas (object level) • Encrypt only necessary indexes • Carefully choose cipher (algorithm + key size) • Balance security and performance
Summary • OpenEdge Transparent Data Encryption • Flexible • Protects data at rest transparently • Very low performance impact • TDE is easy to understand • Product install • Key store • Encryption policies • TDE is easy to implement • Add encryption area • Enable database • Create encryption policies
Session 130 Transparent Data Encryption Richard Banville OpenEdge Fellow, Progress Software