Transparent Data Encryption

Transparent Data Encryption Richard Banville OpenEdge Fellow, Progress Software Session 130

Overview: Transparent Data Encryption (TDE)

Transparent

Application transparent data encryption

Full index query support

No need to move data

Flexible

Encrypt individual objects (tables, indexes, lobs) in Type II areas

Encrypt individual Type I areas

Storage engine encrypts blocks on disk (access neutral)

Secure

Provides secure encryption key storage

Limits access to physical data

Important piece of an overall data privacy strategy

What Is TDE?

Data Encryption plain text Encrypted Data Encrypt Decrypt Key value makes it unique. How Does It Work? Cipher Cipher

Data Encryption Encrypt Decrypt Have a nice day Encrypt Decrypt z!$x;h@p$r#w!e How Does It Work? Nonsensical data Cipher Cipher Cipher Cipher Encrypted Data plain text

Data Encryption Encrypted Data plain text Encrypt Decrypt Encrypt #!~?;!@#$!#$#!! Having a bad day… How Does It Work? Cipher Cipher Cipher Cipher z!$x;h@p$r#w!e ? Nonsensical data Decrypt

Data Encryption Encrypt Decrypt How Does It Work? Cipher Cipher Encrypted Data plain text

OpenEdge Transparent Data Encryption (TDE) plain text Encrypt Shared Memory Buffer Pool (plain text block) Database Storage Engine Product Install

Key store

Database Master Key ( DMK )

Admin/User Passphrase

Manual/Automatic Authentication

Encryption Policy Area

Encryption Policies - What (object) & how (cipher)

Read I/O Write I/O How Does It Work? Policies Keys Decrypt & Encrypted Data Key store Database Policy Area

OpenEdge Transparent Data Encryption (TDE) How Does It Work? Database Storage Engine plain text Encrypt Shared Memory Buffer Pool (plain text block) Database Storage Engine Product Install Read I/O Write I/O Policies Keys Decrypt &

Key store

Encrypted Data Key store Policy Area Database

OpenEdge Transparent Data Encryption (TDE) How Does It Work? plain text Encrypt Shared Memory Buffer Pool (plain text block) Product Install Read I/O Write I/O Policies Keys Decrypt & Database Storage Engine

Key store

Encrypted Data Key store Policy Area Database

Thing 1: TDE Availability

Transparent Data Encryption

OpenEdge product

First available in the 10.2B release

Requires two products be installed

Enterprise OpenEdge Database product

Transparent Data Encryption product

Thing 2: The Key Store

Stores the Database Master Key (DMK)

Makes encrypted data unique

Unique per database

File named: <dbname .ks >

Securing the DMK in the key store

Stored separately from db

Protected by passphrase based authentication

Not part of database backup ( Why not? )

The Most Critical Piece Of TDE

Thing 2: The Key Store

Loosing the keys to the kingdom: rm -f mydb.ks

Re-mastering your database master key (PBE cipher only)

Passphrases have predetermined rules

Advantages of DMK PBE

Can be regenerated

See previous advantage

Disadvantages of DMK PBE

Can be regenerated (less secure)

Needs large passphrase to be effective

Must remember passphrase

The Most Critical Piece Of TDE

Thing 3: Encryption Policies

Policy Contents

Object to encrypt

Table, Index, Lob (Type II storage areas)

Area (Type I storage area)

AI and BI recovery

Cipher – algorithm & key size

Secure (Key store administrator & DB administrator)

Stored in “Encryption Policy Area”

User prevented from direct record access

Policy Maintenance

Epolicy tool, OpenEdge SQL, Data Admin tool

Add, remove, alter (cipher, key) online

Describes What And How To Encrypt

Cipher Choice

Governance

Business rules

Your choice, your responsibility - balance strength & performance

*Graphical data is relative How do I decide? RC4-128 AES-128 AES-192 AES-256 DES-56 DES3-168 Security Strength 0 – no encryption DES-PBE 10 10 RC4-128 AES-128 AES-192 AES-256 DES-56/PBE DES3-168 Performance Cost 0 – no encryption

Enabling Encryption

Easy as 1, 2, 3

Step #1: Enabling Encryption

Create a Type II storage area for encryption policies

Named “ Encryption Policy Area ”

Any available user data area number will suffice

e “ Encryption Policy Area ”:12, 32 ; 64 . f 10240 e “ Encryption Policy Area ”:12, 32 ; 64 . prostrct addonline mydb mydb_epolicy_area.st prostrct list mydb Structure file showing example definition policy area Add the encryption policy using Prostrct Add Create a new structure file which includes new area

Step #2: Enabling Encryption

Does not encrypt any data

Decisions, decisions, decisions

AI and/or BI (online, offline)

Automatic vs manual key store authentication

Management vs security

DMK Cipher – security vs availability (PBE cipher)

Creates key store (<dbname> .ks )

User vs Admin key store accounts

Ready for encryption policy creation

proutil <dbname> -C enableencryption [ -biencryption enable | disable] [ -aiencryption enable | disable] [ -Autostart user | admin ] [ -Cipher cipher-number] DB KS

Step #3: Policy Maintenance

Three ways to add policy

Proutil epolicy tool

Data Admin istration Tool

OpenEdge SQL DDL syntax

TI areas or TII Objects

Data lazily encrypted

Must update before cipher change

proutil <db-name> -C epolicy manage object-type encrypt | cipher | rekey <object-name> -Cipher <cipher #> proutil <db-name> -C epolicy manage object-type update <object-name> Current and one previous policy allowed

Disabled remotely

Type II “PUB” schema only

Type II “PUB” schema only

Multi select UI

Local access only

Admin Security

Encryption Policies

Edit Encryption Policies . . .

proutil epolicy tool

CREATE TABLE | INDEX <name> ... [ ENCRYPT WITH <algorithm> ] . . .; ALTER TABLE | INDEX | COLUMN <name> SET [ ENCRYPT WITH <algorithm> | DECRYPT | ENCRYPT REKEY ] . . .; SHOW ENCRYPT ON { ALL [ TABLE | INDEX | LOB ] | TABLE table-name [ WITH INDEX | WITH LOB ] | TABLE table-name ON INDEX index-name };