Skip to content

Latest commit

 

History

History
146 lines (94 loc) · 4.85 KB

encryption.md

File metadata and controls

146 lines (94 loc) · 4.85 KB
Raw

Namingo Registry Data Encryption

To ensure GDPR compliance and uphold the highest standards of data privacy, this guide outlines essential strategies for encrypting sensitive data within the Namingo registry. Our focus is to provide a clear and effective approach to database encryption, safeguarding privacy and ensuring the integrity of our users' data.

MariaDB

1. Create Encryption Keys

This process involves creating a directory for the encryption keys, generating the keys, and setting the appropriate permissions.

mkdir -p /etc/mysql/encryption
echo "1;"$(openssl rand -hex 32) > /etc/mysql/encryption/keyfile
openssl rand -hex 128 > /etc/mysql/encryption/keyfile.key
openssl enc -aes-256-cbc -md sha1 -pass file:/etc/mysql/encryption/keyfile.key -in /etc/mysql/encryption/keyfile -out /etc/mysql/encryption/keyfile.enc
rm -f /etc/mysql/encryption/keyfile
chown -R mysql:mysql /etc/mysql
chmod -R 500 /etc/mysql

2. Update MariaDB Configuration

Edit /etc/my.cnf.d/server.cnf and add the following under [mariadb]:

plugin_load_add = file_key_management
file_key_management_filename = /etc/mysql/encryption/keyfile.enc
file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key
file_key_management_encryption_algorithm = AES_CTR

innodb_encrypt_tables = FORCE
innodb_encrypt_log = ON
innodb_encrypt_temporary_tables = ON

encrypt_tmp_disk_tables = ON
encrypt_tmp_files = ON
encrypt_binlog = ON
aria_encrypt_tables = ON

innodb_encryption_threads = 4
innodb_encryption_rotation_iops = 2000

3. Restart MariaDB

systemctl restart mariadb

4. Removing TDE

To disable TDE, execute the following command in the MariaDB command tool:

SET GLOBAL innodb_encrypt_tables = OFF;

Disclaimer

  • This guide provides basic TDE implementation.

  • It's recommended not to store the encryption key on the same server. Consider using external key management solutions like Hashicorp Vault Encryption Key Plugin or AWS Key Management Encryption Plugin for enhanced security.

  • Always ensure you have backups before making significant changes to your database configuration.

MySQL

1. Create Encryption Keys

This process involves creating a directory for the encryption keys, generating the keys, and setting the appropriate permissions.

mkdir -p /var/lib/mysql-keyring
openssl rand -hex 32 > /var/lib/mysql-keyring/keyfile
chown -R mysql:mysql /var/lib/mysql-keyring
chmod -R 500 /var/lib/mysql-keyring

2. Update MySQL Configuration

You need to edit the MySQL configuration file, typically located at /etc/mysql/mysql.conf.d/mysqld.cnf, to enable encryption and specify the keyring file path.

[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data=/var/lib/mysql-keyring/keyfile

# Enable InnoDB Table Encryption
innodb_encrypt_tables=ON
innodb_encrypt_log=ON
innodb_encryption_threads=4

# Additional optional settings
encrypt_tmp_disk_tables=ON
encrypt_binlog=ON

3. Restart MySQL

After updating the configuration, restart MySQL to apply the changes.

systemctl restart mysql

4. Removing TDE

To disable TDE, execute the following command in the MySQL command tool:

SET GLOBAL innodb_encrypt_tables = OFF;

Disclaimer

  • This is a basic guide for implementing TDE in MySQL.

  • Storing the encryption key on the same server as the database is not recommended for high security. Consider using external key management solutions like the AWS Key Management Service or other external keyring plugins for better security practices.

  • Always ensure you have backups before making significant changes to your database configuration.

PostgreSQL

eCryptfs encrypts files at the file system level, securing the data stored by PostgreSQL. This method provides encryption at rest, meaning the data is encrypted when stored on disk.

1. Install eCryptfs

On a Linux-based system, you can usually install eCryptfs through the package manager. For example, on Ubuntu, you can use sudo apt-get install ecryptfs-utils.

2. Setup Encrypted Directory

Set up an encrypted directory where PostgreSQL will store its data files. This involves creating a new directory and mounting it with eCryptfs.

You can use the ecryptfs-setup-private script to set up a private directory quickly.

3. Configure PostgreSQL to Use Encrypted Directory

Change the data directory of PostgreSQL to point to the encrypted directory. This usually involves updating the data_directory setting in the PostgreSQL configuration file (postgresql.conf).

4. Migrate Existing Data (if necessary)

If you're encrypting an existing PostgreSQL installation, you'll need to migrate the data to the encrypted directory. This can be done by copying the existing data files to the new directory.

5. Restart PostgreSQL

After changing the data directory, restart the PostgreSQL server.