1 / 25

Transparent Data Encryption

Session 130. Transparent Data Encryption. Richard Banville OpenEdge Fellow, Progress Software. Overview: Transparent Data Encryption (TDE). What Is TDE?. Transparent Application transparent data encryption Full index query support No need to move data Flexible

dani
Download Presentation

Transparent Data Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 130 Transparent Data Encryption Richard Banville OpenEdge Fellow, Progress Software

  2. Overview: Transparent Data Encryption (TDE) What Is TDE? • Transparent • Application transparent data encryption • Full index query support • No need to move data • Flexible • Encrypt individual objects (tables, indexes, lobs) in Type II areas • Encrypt individual Type I areas • Storage engine encrypts blocks on disk (access neutral) • Secure • Provides secure encryption key storage • Limits access to physical data • Important piece of an overall data privacy strategy

  3. Data Encryption How Does It Work? Encrypted Data Cipher Encrypt plain text Decrypt Cipher Key value makes it unique.

  4. Data Encryption How Does It Work? Encrypted Data Cipher Encrypt plain text Decrypt Cipher Cipher Nonsensical data Encrypt Have a nice day z!$x;h@p$r#w!e Decrypt Cipher

  5. Data Encryption How Does It Work? Encrypted Data Cipher Encrypt plain text Decrypt Cipher Cipher Nonsensical data Encrypt Having a bad day… ? #!~?;!@#$!#$#!! z!$x;h@p$r#w!e Decrypt Cipher

  6. Data Encryption How Does It Work? Encrypted Data Cipher Encrypt plain text Decrypt Cipher

  7. OpenEdge Transparent Data Encryption (TDE) How Does It Work? Database Storage Engine Write I/O Keys Encrypted Data Encrypt Shared Memory Buffer Pool (plain text block) & plain text Decrypt Policy Area Database Key store Read I/O Policies Product Install • Key store • Database Master Key (DMK) • Admin/User Passphrase • Manual/Automatic Authentication • Encryption Policy Area • Encryption Policies - What (object) & how (cipher)

  8. OpenEdge Transparent Data Encryption (TDE) How Does It Work? Database Storage Engine Database Storage Engine Write I/O Keys Encrypted Data Encrypt Shared Memory Buffer Pool (plain text block) & plain text Decrypt Policy Area Database Key store Read I/O Policies Product Install • Key store • Database Master Key (DMK) • Admin/User Passphrase • Manual/Automatic Authentication • Encryption Policy Area • Encryption Policies - What (object) & how (cipher)

  9. OpenEdge Transparent Data Encryption (TDE) How Does It Work? Database Storage Engine Write I/O Keys Encrypted Data Encrypt Shared Memory Buffer Pool (plain text block) & plain text Decrypt Policy Area Database Key store Read I/O Policies Product Install • Key store • Database Master Key (DMK) • Admin/User Passphrase • Manual/Automatic Authentication • Encryption Policy Area • Encryption Policies - What (object) & how (cipher)

  10. Thing 1: TDE Availability • Transparent Data Encryption • OpenEdge product • First available in the 10.2B release • Requires two products be installed • Enterprise OpenEdge Database product • Transparent Data Encryption product

  11. Thing 2: The Key Store The Most Critical Piece Of TDE • Stores the Database Master Key (DMK) • Makes encrypted data unique • Unique per database • File named: <dbname.ks> • Securing the DMK in the key store • Stored separately from db • Protected by passphrase based authentication • Not part of database backup (Why not?)

  12. Thing 2: The Key Store The Most Critical Piece Of TDE • Loosing the keys to the kingdom: rm -f mydb.ks • Re-mastering your database master key (PBE cipher only) • Passphrases have predetermined rules • Advantages of DMK PBE • Can be regenerated • See previous advantage • Disadvantages of DMK PBE • Can be regenerated (less secure) • Needs large passphrase to be effective • Must remember passphrase

  13. Thing 3: Encryption Policies Describes What And How To Encrypt • Policy Contents • Object to encrypt • Table, Index, Lob (Type II storage areas) • Area (Type I storage area) • AI and BI recovery • Cipher – algorithm & key size • Secure (Key store administrator & DB administrator) • Stored in “Encryption Policy Area” • User prevented from direct record access • Policy Maintenance • Epolicy tool, OpenEdge SQL, Data Admin tool • Add, remove, alter (cipher, key) online

  14. DES-56/PBE DES3-168 AES-192 AES-128 RC4-128 AES-256 Performance Cost 0 – no encryption 10 DES-PBE DES-56 AES-192 AES-128 DES3-168 RC4-128 AES-256 Security Strength 0 – no encryption 10 Cipher Choice How do I decide? • Governance • Business rules • Your choice, your responsibility - balance strength & performance *Graphical data is relative

  15. Enabling Encryption Easy as 1, 2, 3

  16. Step #1: Enabling Encryption Create a Type II storage area for encryption policies • Named “Encryption Policy Area” • Any available user data area number will suffice Structure fileshowing example definition policy area e “Encryption Policy Area”:12,32;64 . f 10240 e “Encryption Policy Area”:12,32;64 . Add the encryption policyusing Prostrct Add prostrct addonline mydb mydb_epolicy_area.st Create a new structure filewhich includes new area prostrct list mydb

  17. DB KS Step #2: Enabling Encryption proutil <dbname> -C enableencryption [-biencryptionenable | disable] [-aiencryptionenable | disable] [-Autostartuser | admin] [-Ciphercipher-number] • Doesnot encrypt any data • Decisions, decisions, decisions • AI and/or BI (online, offline) • Automatic vs manual key store authentication • Management vs security • DMK Cipher – security vs availability (PBE cipher) • Creates key store(<dbname>.ks) • User vs Admin key store accounts • Ready for encryption policy creation

  18. Step #3: Policy Maintenance • Three ways to add policy • Proutil epolicy tool • Data Administration Tool • OpenEdge SQL DDL syntax

  19. Step #3: Policy Maintenance • Three ways to add policy • Proutil epolicy tool • Data Administration Tool • OpenEdge SQL DDLsyntax • TI areas or TII Objects • Data lazily encrypted • Must update before cipher change proutil <db-name> -C epolicy manageobject-type encrypt | cipher | rekey<object-name> -Cipher <cipher #> proutil <db-name> -C epolicy manageobject-type update <object-name> Current and one previous policy allowed

  20. Step #3: Policy Maintenance • Three ways to add policy • Proutil epolicy tool • Data Administration Tool • Disabled remotely • Type II “PUB” schema only • Type II “PUB” schema only • Multi select UI • Local access only • Admin Security Encryption Policies Edit Encryption Policies . . .

  21. Step #3: Policy Maintenance • Three ways to add policy • proutil epolicy tool • Data Administration Tool • OpenEdge SQL DDL syntax CREATE TABLE | INDEX<name> ... [ ENCRYPT WITH <algorithm> ]. . .; ALTER TABLE | INDEX | COLUMN<name> SET [ ENCRYPT WITH <algorithm> | DECRYPT | ENCRYPT REKEY ]. . .; SHOW ENCRYPTON { ALL [ TABLE | INDEX | LOB ] | TABLE table-name [ WITH INDEX | WITH LOB ] | TABLE table-name ON INDEX index-name };

  22. Performance Considerations

  23. Performance Considerations • Maximize the buffer pool hit-rate • Increase -B • Consider using an Alternate Buffer Pool (-B2) • Normalize data to encrypt • Separate private and non private data • Read Codd • Isolate data to encrypt • Use Type II storage areas (object level) • Encrypt only necessary indexes • Carefully choose cipher (algorithm + key size) • Balance security and performance

  24. Summary • OpenEdge Transparent Data Encryption • Flexible • Protects data at rest transparently • Very low performance impact • TDE is easy to understand • Product install • Key store • Encryption policies • TDE is easy to implement • Add encryption area • Enable database • Create encryption policies

  25. Session 130 Transparent Data Encryption Richard Banville OpenEdge Fellow, Progress Software

More Related