View
349
Download
2
Category
Preview:
Citation preview
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 1
Locked Up: Advances in Postgres Data Encryption
• Vibhor Kumar
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 2
Encryption
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 3
Reasons for Encryption
• Protect Sensitive information
• Protect it from identity theft
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 4
Reasons for Encryption
• Satisfy Parnoia
• Comply with laws and Standards (SOX, HIPPA, PCI etc)
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 5
• Application
• Database
Encryption at different Layers
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 6
• Storage
Encryption at different Layers
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 7
Encryption at Application
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 8
• Advantages:− Protect sensitive data and control access in a more fine-
grained way than is possible with almost any other form of encryption
− Performance Benefits− Manageability− Secure execution inside the Application
• Challenges− Deciding which tool/class should be used for encryption− Wrong implementation will give issue
Encryption at Application Level
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 9
Encryption at Database
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 10
• Pgcrypto− Extension in PostgreSQL− CREATE EXTENSION pgcrypto;− Encryption as database functions− Provides 38 functions− Client Independent
Database Encryption
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 11
• Pgcrypto (Raw encryption)− encrypt(data bytea, key bytea, type text) returns bytea− decrypt(data bytea, key bytea, type text) returns bytea− encrypt_iv(data bytea, key bytea, iv bytea, type text) returns
bytea− decrypt_iv(data bytea, key bytea, iv bytea, type text) returns
bytea
• Type: bf-cbc, aes-cbc, ... (ecb supported, but..testing only)
• Operates on bytea, returns bytea
• gen_random_bytes() can be used to create key
Database Encryption
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 12
• Limitations of these functions− Functions use user key directly as cipher key.− don't provide any integrity checking, to see if the encrypted data
was modified.− expect that users manage all encryption parameters themselves− don't handle text.
Database Encryption
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 13
• Pgcrypto (PGP Encryption)• pgp_sym_encrypt(data text, psw text [, options text ]) returns bytea
• pgp_sym_encrypt_bytea(data bytea, psw text [, options text ]) returns bytea
• pgp_pub_encrypt(data text, psw text [, options text ]) returns bytea
• pgp_pub_encrypt_bytea(data bytea, psw text [, options text ]) returns bytea
• Operates on text in plaintext, bytea in ciphertext − armor(), dearmor()
• Takes gpg style options like ciper-algo=aes256
Database Encryption
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 14
• Pgcrypto (Hashing)− SELECT digest(txt, type)
− Returns bytea, use encode() to get hex − Md5, sha1, sha<more>
• SELECT encode( digest('lolcats!', 'sha256'), 'base64')
Database Encryption
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 15
• Pgcrypto (Hashing)
• SELECT crypt('secret', gen_salt('bf')) − Stores salt as part of hash − Autodetects algorithm − md5, bf, etc
• SELECT hash=crypt('secret', hash)
Database Encryption
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 16
• Sorry, can't really be done by index
• Match encrypted data for raw encrypted without padding − But this decreases security− And does «is equal» matching only
• Index on expression − But why did you encrypt in the first place?
Searching Encryption
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 17
Storage Encryption
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 18
• Independent of the database
• Filesystem block device level
• Needs to keep fsync behaviour!
• Keeps all database functionality
Storage Encryption (Filesystem)
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 19
Storage Encryption (Filesystem)
• Run initdb on enrypted filesystem
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 20
Network encryption
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 21
• Postgres built in SSL method
• Using ssh tunnel
Main Methods
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 22
• Encrypting Data across network SSL− Facility exists in Postgres − Configure server − Configure SSL flag in client − May need to open ports in firewall/router
Postgres SSL Method
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 23
Postgres SSL Method
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 24
• Modify pg_hba.conf
hostssl all all 0.0.0.0/0 md5
• Modify postgresql.conf
• Ensure listen_address is set correctly.
• Add − ssl = on
• Check SSL certificate locations
• Restart postgresql service
service postgresql-9.5 restart
Postgres SSL Method
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 25
• Connect using sslmode option with one of values:− disable− allow− prefer − Require− Verify-ca− Verify-full
Client configuration
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 26
• Libpq SSL modes
Client configuration
Protect Against Compatible with Server set PerformanceClient Mode Eaves Dropping MITM SSL Required SSL Disabled Overhead
disable no no FAIL works noallow no no works works if necessaryprefer no no works works if possiblerequire yes no works FAIL yes
verify-ca yes yes works FAIL yesverify-full yes yes works FAIL yes
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 27
• SSH Tunnel
• No modifications to Postgres configuration
• Use of existing SSH gateway
Client configuration
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 28
Benchmark
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 29
• OS: CentOS Linux release 7.1.1503 (Core) 64 bit.
• MS Azure instance Size: Standard DS3 − CPUs: 4 Cores, Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz − Memory: 14 GB memory) − Max IOPS: 12800
Benchmark
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 30
• PostgreSQL 9.5 tuning:− max_connections = 100− shared_buffers = 6912MB− effective_cache_size = 20736MB− work_mem = 70778kB− maintenance_work_mem = 1728MB− checkpoint_completion_target = 0.9− wal_buffers = 16MB− default_statistics_target = 500
Benchmark
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 31
• pgbench over same zone network.
• Normal TPC-B benchmark:\set nbranches :scale\set ntellers 10 * :scale\set naccounts 100000 * :scale\setrandom aid 1 :naccounts\setrandom bid 1 :nbranches\setrandom tid 1 :ntellers\setrandom delta -5000 5000BEGIN;UPDATE pgbench_accounts SET abalance = abalance + :delta WHERE aid = :aid;SELECT abalance FROM pgbench_accounts WHERE aid = :aid;UPDATE pgbench_tellers SET tbalance = tbalance + :delta WHERE tid = :tid;UPDATE pgbench_branches SET bbalance = bbalance + :delta WHERE bid = :bid;INSERT INTO pgbench_history (tid, bid, aid, delta, mtime) VALUES (:tid, :bid, :aid, :delta, CURRENT_TIMESTAMP);END;
Benchmark
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 32
• Command used for encrypted pgbench:• pgbench -i -s 100 -d encrypt_benchmark
• ALTER TABLE pgbench_accounts ALTER COLUMN abalance TYPE BYTEA USING encrypt(abalance::text::bytea,'key'::bytea,'aes');
• ALTER TABLE pgbench_tellers ALTER COLUMN tbalance TYPE BYTEA USING encrypt(tbalance::text::bytea,'key'::bytea,'aes');
• ALTER TABLE pgbench_branches ALTER COLUMN bbalance TYPE BYTEA USING encrypt(bbalance::text::bytea,'key'::bytea,'aes');
Benchmark
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 33
• Encrypted TPC-B benchmark:BEGIN;
UPDATE pgbench_accounts SET abalance = encrypt((convert_from(decrypt(abalance,'key'::bytea,'aes'), current_setting('server_encoding'))::bigint + :delta)::text::bytea, 'key'::bytea, 'aes') WHERE aid = :aid;
SELECT convert_from(decrypt(abalance,'key'::bytea,'aes'), current_setting('server_encoding'))::bigint FROM pgbench_accounts WHERE aid = :aid;
<other UPDATE chanes similar to above>
INSERT INTO pgbench_history (tid, bid, aid, delta, mtime) VALUES (:tid, :bid, :aid, :delta, CURRENT_TIMESTAMP);END;
Benchmark
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 34
Benchmark Result
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 35
Recommended