35
© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 1 Locked Up: Advances in Postgres Data Encryption Vibhor Kumar

PGEncryption_Tutorial

Embed Size (px)

Citation preview

Page 1: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 1

Locked Up: Advances in Postgres Data Encryption

• Vibhor Kumar

Page 2: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 2

Encryption

Page 3: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 3

Reasons for Encryption

• Protect Sensitive information

• Protect it from identity theft

Page 4: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 4

Reasons for Encryption

• Satisfy Parnoia

• Comply with laws and Standards (SOX, HIPPA, PCI etc)

Page 5: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 5

• Application

• Database

Encryption at different Layers

Page 6: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 6

• Storage

Encryption at different Layers

Page 7: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 7

Encryption at Application

Page 8: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 8

• Advantages:− Protect sensitive data and control access in a more fine-

grained way than is possible with almost any other form of encryption

− Performance Benefits− Manageability− Secure execution inside the Application

• Challenges− Deciding which tool/class should be used for encryption− Wrong implementation will give issue

Encryption at Application Level

Page 9: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 9

Encryption at Database

Page 10: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 10

• Pgcrypto− Extension in PostgreSQL− CREATE EXTENSION pgcrypto;− Encryption as database functions− Provides 38 functions− Client Independent

Database Encryption

Page 11: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 11

• Pgcrypto (Raw encryption)− encrypt(data bytea, key bytea, type text) returns bytea− decrypt(data bytea, key bytea, type text) returns bytea− encrypt_iv(data bytea, key bytea, iv bytea, type text) returns

bytea− decrypt_iv(data bytea, key bytea, iv bytea, type text) returns

bytea

• Type: bf-cbc, aes-cbc, ... (ecb supported, but..testing only)

• Operates on bytea, returns bytea

• gen_random_bytes() can be used to create key

Database Encryption

Page 12: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 12

• Limitations of these functions− Functions use user key directly as cipher key.− don't provide any integrity checking, to see if the encrypted data

was modified.− expect that users manage all encryption parameters themselves− don't handle text.

Database Encryption

Page 13: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 13

• Pgcrypto (PGP Encryption)• pgp_sym_encrypt(data text, psw text [, options text ]) returns bytea

• pgp_sym_encrypt_bytea(data bytea, psw text [, options text ]) returns bytea

• pgp_pub_encrypt(data text, psw text [, options text ]) returns bytea

• pgp_pub_encrypt_bytea(data bytea, psw text [, options text ]) returns bytea

• Operates on text in plaintext, bytea in ciphertext − armor(), dearmor()

• Takes gpg style options like ciper-algo=aes256

Database Encryption

Page 14: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 14

• Pgcrypto (Hashing)− SELECT digest(txt, type)

− Returns bytea, use encode() to get hex − Md5, sha1, sha<more>

• SELECT encode( digest('lolcats!', 'sha256'), 'base64')

Database Encryption

Page 15: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 15

• Pgcrypto (Hashing)

• SELECT crypt('secret', gen_salt('bf')) − Stores salt as part of hash − Autodetects algorithm − md5, bf, etc

• SELECT hash=crypt('secret', hash)

Database Encryption

Page 16: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 16

• Sorry, can't really be done by index

• Match encrypted data for raw encrypted without padding − But this decreases security− And does «is equal» matching only

• Index on expression − But why did you encrypt in the first place?

Searching Encryption

Page 17: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 17

Storage Encryption

Page 18: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 18

• Independent of the database

• Filesystem block device level

• Needs to keep fsync behaviour!

• Keeps all database functionality

Storage Encryption (Filesystem)

Page 19: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 19

Storage Encryption (Filesystem)

• Run initdb on enrypted filesystem

Page 20: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 20

Network encryption

Page 21: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 21

• Postgres built in SSL method

• Using ssh tunnel

Main Methods

Page 22: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 22

• Encrypting Data across network SSL− Facility exists in Postgres − Configure server − Configure SSL flag in client − May need to open ports in firewall/router

Postgres SSL Method

Page 23: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 23

Postgres SSL Method

Page 24: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 24

• Modify pg_hba.conf

hostssl all all 0.0.0.0/0 md5

• Modify postgresql.conf

• Ensure listen_address is set correctly.

• Add − ssl = on

• Check SSL certificate locations

• Restart postgresql service

service postgresql-9.5 restart

Postgres SSL Method

Page 25: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 25

• Connect using sslmode option with one of values:− disable− allow− prefer − Require− Verify-ca− Verify-full

Client configuration

Page 26: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 26

• Libpq SSL modes

Client configuration

  Protect Against Compatible with Server set PerformanceClient Mode Eaves Dropping MITM SSL Required SSL Disabled Overhead

disable no no FAIL works noallow no no works works if necessaryprefer no no works works if possiblerequire yes no works FAIL yes

verify-ca yes yes works FAIL yesverify-full yes yes works FAIL yes

Page 27: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 27

• SSH Tunnel

• No modifications to Postgres configuration

• Use of existing SSH gateway

Client configuration

Page 28: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 28

Benchmark

Page 29: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 29

• OS: CentOS Linux release 7.1.1503 (Core) 64 bit.

• MS Azure instance Size: Standard DS3 − CPUs: 4 Cores, Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz − Memory: 14 GB memory) − Max IOPS: 12800

Benchmark

Page 30: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 30

• PostgreSQL 9.5 tuning:− max_connections = 100− shared_buffers = 6912MB− effective_cache_size = 20736MB− work_mem = 70778kB− maintenance_work_mem = 1728MB− checkpoint_completion_target = 0.9− wal_buffers = 16MB− default_statistics_target = 500

Benchmark

Page 31: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 31

• pgbench over same zone network.

• Normal TPC-B benchmark:\set nbranches :scale\set ntellers 10 * :scale\set naccounts 100000 * :scale\setrandom aid 1 :naccounts\setrandom bid 1 :nbranches\setrandom tid 1 :ntellers\setrandom delta -5000 5000BEGIN;UPDATE pgbench_accounts SET abalance = abalance + :delta WHERE aid = :aid;SELECT abalance FROM pgbench_accounts WHERE aid = :aid;UPDATE pgbench_tellers SET tbalance = tbalance + :delta WHERE tid = :tid;UPDATE pgbench_branches SET bbalance = bbalance + :delta WHERE bid = :bid;INSERT INTO pgbench_history (tid, bid, aid, delta, mtime) VALUES (:tid, :bid, :aid, :delta, CURRENT_TIMESTAMP);END;

Benchmark

Page 32: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 32

• Command used for encrypted pgbench:• pgbench -i -s 100 -d encrypt_benchmark

• ALTER TABLE pgbench_accounts ALTER COLUMN abalance TYPE BYTEA USING encrypt(abalance::text::bytea,'key'::bytea,'aes');

• ALTER TABLE pgbench_tellers ALTER COLUMN tbalance TYPE BYTEA USING encrypt(tbalance::text::bytea,'key'::bytea,'aes');

• ALTER TABLE pgbench_branches ALTER COLUMN bbalance TYPE BYTEA USING encrypt(bbalance::text::bytea,'key'::bytea,'aes');

Benchmark

Page 33: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 33

• Encrypted TPC-B benchmark:BEGIN;

UPDATE pgbench_accounts SET abalance = encrypt((convert_from(decrypt(abalance,'key'::bytea,'aes'), current_setting('server_encoding'))::bigint + :delta)::text::bytea, 'key'::bytea, 'aes') WHERE aid = :aid;

SELECT convert_from(decrypt(abalance,'key'::bytea,'aes'), current_setting('server_encoding'))::bigint FROM pgbench_accounts WHERE aid = :aid;

<other UPDATE chanes similar to above>

INSERT INTO pgbench_history (tid, bid, aid, delta, mtime) VALUES (:tid, :bid, :aid, :delta, CURRENT_TIMESTAMP);END;

Benchmark

Page 34: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 34

Benchmark Result

Page 35: PGEncryption_Tutorial

© Copyright EnterpriseDB Corporation, 2015. All Rights Reserved. 35