More Related Content
What's hot
What's hot (20)
Similar to TDEで透過的暗号化
Similar to TDEで透過的暗号化 (20)
More from furandon_pig
TDEで透過的暗号化
- 1. Transparent Data Encryption for PostgreSQL TDEで透過的暗号化 @furandon_pig SQL実践入門Night 2018/01/24(Wed)
- 9. インストールする
- 11. $ cat << _EOF >> ~/.bashrc WORK_DIR=$HOME/work ## ## PostgreSQL,tdeforpg関連の環境変数 ## export PGHOME=/opt/postgresql-9.3.9 export PGDATA=${WORK_DIR}/db export PGSRC=${WORK_DIR}/`basename ${PGHOME}` export TDEHOME=${WORK_DIR}/tdeforpg ## ## インストールするPostgreSQLへのPATHを設定しておく ## export LD_LIBRARY_PATH=${PGHOME}/lib:/usr/lib64 export PATH=$PATH:${PGHOME}/bin export MANPATH=$MANPATH:${PGHOME}/share/man _EOF $ source ~/.bashrc
- 12. $ curl -O http://ftp.jaist.ac.jp/pub/postgresql/source/v9.3.9postgresql-9.3.9.tar.gz $ git clone https://github.com/nec-postgres/tdeforpg.git $ # PostgreSQLのビルド(略) $ $ echo ${PGSRC} /home/fpig/work/postgresql-9.3.9 $ $ cd ${PGSRC}/contrib/pgcrypto. # pgcryptモジュールのインストール $ gmake install $ $ # データベースの初期化 $ echo ${PGDATA} /home/fpig/work/db $ initdb $ pg_ctl start $ createdb `whoami`
- 13. $ psql << EOF > CREATE EXTENSION pgcrypto; > EOF CREATE EXTENSION $ psql psql (9.3.9) Type "help" for help. fpig=# SELECT pg_available_extensions(); pg_available_extensions ---------------------------------------------- (plpgsql,1.0,"PL/pgSQL procedural language") (pgcrypto,1.0,"cryptographic functions") (2 rows) fpig=#
- 14. $ sudo mkdir /usr/lib64 # NetBSDには存在しないので作成する $ sudo ln -s ${PGHOME}/lib/pgcrypto.so /usr/lib64/libpgcrypto.so $ cd ${PGSRC} $ ./configure --prefix=${PGHOME} --with-tcl=no --with-perl=no --with-python=no --with-gssapi=no --with-ldap=no --with-libxml=no --with-libxslt=no --without-zlib --without-readline --disable-largefile --with-pam --with-openssl $ # configureの後に実行 $ cd ${TDEHOME}/SOURCES/data_encryption $ sh makedencryption.sh 93 ${PGSRC}
- 15. $ sudo ln -s ${TDEHOME}/SOURCES/data_encryption/93/data_encryption93.so /usr/lib64/data_encryption.so $ cat <<_EOF >> ${PGDATA}/postgresql.conf shared_preload_libraries='/usr/lib64/data_encryption.so' _EOF $ pg_ctl restart ...中略... server stopped server starting $ LOG: loaded library "/usr/lib64/data_encryption.so"
- 18. $ createdb kinmosa $ $ cd ${TDEHOME}/SOURCES $ sh bin/cipher_setup.sh ${PGHOME} Transparent data encryption feature setup script Please select from the setup menu below Transparent data encryption feature setup menu 1: activate the transparent data encryption feature 2: inactivate the transparent data encryption feature select menu [1 - 2] > 1 Please enter database server port to connect : 5432 Please enter database user name to connect : fpig Please enter password for authentication : Please enter database name to connect : kinmosa CREATE LANGUAGE INFO: Transparent data encryption feature has been activated
- 19. $ cd ${TDEHOME}/SOURCES $ sh bin/cipher_key_regist.sh ${PGHOME} === Database connection information === Please enter database server port to connect : 5432 Please enter database user name to connect : fpig Please enter password for authentication : Please enter database name to connect : kinmosa === Regist new cipher key === Please enter the new cipher key : ※「kokeshi」と入力した Please retype the new cipher key : ※「kokeshi」入力した Please enter the algorithm for new cipher key : aes Are you sure to register new cipher key(y/n) : y cipher_key_enable_log ----------------------- t (1 row)
- 20. $ psql -d kinmosa psql (9.3.9) Type "help" for help. kinmosa=# --「きんいろモザイク」テーブル作成 kinmosa=# CREATE TABLE Kinmosa( kinmosa(# id Integer PRIMARY KEY, kinmosa(# season Integer NOT NULL, kinmosa(# episode Integer NOT NULL, kinmosa(# title ENCRYPT_TEXT NOT NULL kinmosa(# ); CREATE TABLE
- 21. kinmosa=# --ログ出力無効化 kinmosa=# SELECT cipher_key_disable_log(); ...中略... kinmosa=# --鍵を指定してセッション開始 kinmosa=# SELECT pgtde_begin_session('kokeshi'); pgtde_begin_session --------------------- t (1 row) kinmosa=# --ログ出力有効化 kinmosa=# SELECT cipher_key_enable_log();
- 22. kinmosa=# INSERT INTO Kinmosa VALUES(1, 2, 1, '『はるがきたっ』'); kinmosa=# INSERT INTO Kinmosa VALUES(2, 2, 2, '『プレゼント・フォー・ユー』'); kinmosa=# INSERT INTO Kinmosa VALUES(3, 2, 3, '『あなたがとってもまぶしくて』'); kinmosa=# INSERT INTO Kinmosa VALUES(4, 2, 4, '『雨にもまけず』'); kinmosa=# INSERT INTO Kinmosa VALUES(5, 2, 5, '『おねえちゃんとあそぼう』'); kinmosa=# INSERT INTO Kinmosa VALUES(6, 2, 6, '『きになるあの子』'); kinmosa=# INSERT INTO Kinmosa VALUES(7, 2, 7, '『マイ・ディア・ヒーロー』'); kinmosa=# INSERT INTO Kinmosa VALUES(8, 2, 8, '『もうすぐ夏休み』'); kinmosa=# INSERT INTO Kinmosa VALUES(9, 2, 9, '『とっておきの一日』'); kinmosa=# INSERT INTO Kinmosa VALUES(10, 2, 10, '『海べのやくそく』'); kinmosa=# INSERT INTO Kinmosa VALUES(11, 2, 11, '『ほんのすこしの長いよる』');
- 23. kinmosa=# SELECT * FROM Kinmosa ; id | season | episode | title ----+--------+---------+-------------------------------- 1 | 2 | 1 | 『はるがきたっ』 2 | 2 | 2 | 『プレゼント・フォー・ユー』 3 | 2 | 3 | 『あなたがとってもまぶしくて』 4 | 2 | 4 | 『雨にもまけず』 5 | 2 | 5 | 『おねえちゃんとあそぼう』 6 | 2 | 6 | 『きになるあの子』 7 | 2 | 7 | 『マイ・ディア・ヒーロー』 8 | 2 | 8 | 『もうすぐ夏休み』 9 | 2 | 9 | 『とっておきの一日』 10 | 2 | 10 | 『海べのやくそく』 11 | 2 | 11 | 『ほんのすこしの長いよる』 (11 rows)
- 24. kinmosa=# SELECT pgtde_end_session(); pgtde_end_session ------------------- t (1 row) kinmosa=# INSERT INTO Kinmosa VALUES(666, 2, 999, 'test'); ERROR: TDE-E0016 could not encrypt data, because key was not set(01) LINE 1: INSERT INTO Kinmosa VALUES(666, 2, 999, 'test'); ^ kinmosa=# SELECT * FROM Kinmosa; ERROR: TDE-E0017 could not decrypt data, because key was not set(01)