PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 1

Locked Up: Advances in Postgres Data Encryption

• Vibhor Kumar


Encryption


Reasons for Encryption

• Protect Sensitive information

• Protect it from identity theft


Reasons for Encryption

• Satisfy Parnoia

• Comply with laws and Standards (SOX, HIPPA, PCI etc)


• Application

• Database

Encryption at different Layers


• Storage

Encryption at different Layers


Encryption at Application


• Advantages:− Protect sensitive data and control access in a more fine-

grained way than is possible with almost any other form of encryption

− Performance Benefits− Manageability− Secure execution inside the Application

• Challenges− Deciding which tool/class should be used for encryption− Wrong implementation will give issue

Encryption at Application Level


Encryption at Database


• Pgcrypto− Extension in PostgreSQL− CREATE EXTENSION pgcrypto;− Encryption as database functions− Provides 38 functions− Client Independent

Database Encryption


• Pgcrypto (Raw encryption)− encrypt(data bytea, key bytea, type text) returns bytea− decrypt(data bytea, key bytea, type text) returns bytea− encrypt_iv(data bytea, key bytea, iv bytea, type text) returns

bytea− decrypt_iv(data bytea, key bytea, iv bytea, type text) returns

bytea

• Type: bf-cbc, aes-cbc, ... (ecb supported, but..testing only)

• Operates on bytea, returns bytea

• gen_random_bytes() can be used to create key

Database Encryption


• Limitations of these functions− Functions use user key directly as cipher key.− don't provide any integrity checking, to see if the encrypted data

was modified.− expect that users manage all encryption parameters themselves− don't handle text.

Database Encryption


• Pgcrypto (PGP Encryption)• pgp_sym_encrypt(data text, psw text [, options text ]) returns bytea

• pgp_sym_encrypt_bytea(data bytea, psw text [, options text ]) returns bytea

• pgp_pub_encrypt(data text, psw text [, options text ]) returns bytea

• pgp_pub_encrypt_bytea(data bytea, psw text [, options text ]) returns bytea

• Operates on text in plaintext, bytea in ciphertext − armor(), dearmor()

• Takes gpg style options like ciper-algo=aes256

Database Encryption


• Pgcrypto (Hashing)− SELECT digest(txt, type)

− Returns bytea, use encode() to get hex − Md5, sha1, sha<more>

• SELECT encode( digest('lolcats!', 'sha256'), 'base64')

Database Encryption


• Pgcrypto (Hashing)

• SELECT crypt('secret', gen_salt('bf')) − Stores salt as part of hash − Autodetects algorithm − md5, bf, etc

• SELECT hash=crypt('secret', hash)

Database Encryption


• Sorry, can't really be done by index

• Match encrypted data for raw encrypted without padding − But this decreases security− And does «is equal» matching only

• Index on expression − But why did you encrypt in the first place?

Searching Encryption


Storage Encryption


• Independent of the database

• Filesystem block device level

• Needs to keep fsync behaviour!

• Keeps all database functionality

Storage Encryption (Filesystem)


Storage Encryption (Filesystem)

• Run initdb on enrypted filesystem


Network encryption


• Postgres built in SSL method

• Using ssh tunnel

Main Methods


• Encrypting Data across network SSL− Facility exists in Postgres − Configure server − Configure SSL flag in client − May need to open ports in firewall/router

Postgres SSL Method


Postgres SSL Method


• Modify pg_hba.conf

hostssl all all 0.0.0.0/0 md5

• Modify postgresql.conf

• Ensure listen_address is set correctly.

• Add − ssl = on

• Check SSL certificate locations

• Restart postgresql service

service postgresql-9.5 restart

Postgres SSL Method


• Connect using sslmode option with one of values:− disable− allow− prefer − Require− Verify-ca− Verify-full

Client configuration


• Libpq SSL modes


Protect Against Compatible with Server set PerformanceClient Mode Eaves Dropping MITM SSL Required SSL Disabled Overhead

disable no no FAIL works noallow no no works works if necessaryprefer no no works works if possiblerequire yes no works FAIL yes

verify-ca yes yes works FAIL yesverify-full yes yes works FAIL yes


• SSH Tunnel

• No modifications to Postgres configuration

• Use of existing SSH gateway



Benchmark


• OS: CentOS Linux release 7.1.1503 (Core) 64 bit.

• MS Azure instance Size: Standard DS3 − CPUs: 4 Cores, Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz − Memory: 14 GB memory) − Max IOPS: 12800

Benchmark


• PostgreSQL 9.5 tuning:− max_connections = 100− shared_buffers = 6912MB− effective_cache_size = 20736MB− work_mem = 70778kB− maintenance_work_mem = 1728MB− checkpoint_completion_target = 0.9− wal_buffers = 16MB− default_statistics_target = 500

Benchmark


• pgbench over same zone network.

• Normal TPC-B benchmark:\set nbranches :scale\set ntellers 10 * :scale\set naccounts 100000 * :scale\setrandom aid 1 :naccounts\setrandom bid 1 :nbranches\setrandom tid 1 :ntellers\setrandom delta -5000 5000BEGIN;UPDATE pgbench_accounts SET abalance = abalance + :delta WHERE aid = :aid;SELECT abalance FROM pgbench_accounts WHERE aid = :aid;UPDATE pgbench_tellers SET tbalance = tbalance + :delta WHERE tid = :tid;UPDATE pgbench_branches SET bbalance = bbalance + :delta WHERE bid = :bid;INSERT INTO pgbench_history (tid, bid, aid, delta, mtime) VALUES (:tid, :bid, :aid, :delta, CURRENT_TIMESTAMP);END;

Benchmark


• Command used for encrypted pgbench:• pgbench -i -s 100 -d encrypt_benchmark

• ALTER TABLE pgbench_accounts ALTER COLUMN abalance TYPE BYTEA USING encrypt(abalance::text::bytea,'key'::bytea,'aes');

• ALTER TABLE pgbench_tellers ALTER COLUMN tbalance TYPE BYTEA USING encrypt(tbalance::text::bytea,'key'::bytea,'aes');

• ALTER TABLE pgbench_branches ALTER COLUMN bbalance TYPE BYTEA USING encrypt(bbalance::text::bytea,'key'::bytea,'aes');

Benchmark


• Encrypted TPC-B benchmark:BEGIN;

UPDATE pgbench_accounts SET abalance = encrypt((convert_from(decrypt(abalance,'key'::bytea,'aes'), current_setting('server_encoding'))::bigint + :delta)::text::bytea, 'key'::bytea, 'aes') WHERE aid = :aid;

SELECT convert_from(decrypt(abalance,'key'::bytea,'aes'), current_setting('server_encoding'))::bigint FROM pgbench_accounts WHERE aid = :aid;

<other UPDATE chanes similar to above>

INSERT INTO pgbench_history (tid, bid, aid, delta, mtime) VALUES (:tid, :bid, :aid, :delta, CURRENT_TIMESTAMP);END;

Benchmark


Benchmark Result


Documents

PGEncryption_Tutorial