using amazon key management
play

using Amazon Key Management Service Jan Lindstrm, Principal - PowerPoint PPT Presentation

Jan 31, 2024 •459 likes •795 views

Transparent tablespace and log encryption on MariaDB 10.1 using Amazon Key Management Service Jan Lindstrm, Principal Engineer, MariaDB Corporation Amsterdam, Netherlands | October 5, 2016 Agenda 1. Introduction 2. Concepts 3.

  1. Transparent tablespace and log encryption on MariaDB 10.1 using Amazon Key Management Service Jan Lindström, Principal Engineer, MariaDB Corporation Amsterdam, Netherlands | October 5, 2016

  2. Agenda 1. Introduction 2. Concepts 3. InnoDB/XtraDB 4. Encryption Plugins 5. Amazon AWS KMS 6. Configuration 2

  3. Introduction

  4. What is transparent encryption? • Transparent to application • Application does’t know anything about keys, algorithm, etc • Anyone that can connect to MariaDB can dump data • Not data-in-transit encryption (SSL/TLS) • Not per-column encryption • Not application-side encryption • No encryption functions needed (AES_ENCRYPT()) 4

  5. All data written to disk should be encrypted • InnoDB tablespaces (per-file and system) • InnoDB log files • Aria tables • Temporary files • Temporary tables • Binary log • No mysqlbinlog, though! 5

  6. What’s missing? • Aria logs • Audit log • Error log • Slow query log • General query log • MyISAM tables • CONNECT, CSV, et. Al. • Galera gcache 6

  7. Implementation • MariaDB has a new interface for encryption plugins • Key management • Encryption/decryption • Implemented co-operation together with Google and Eperi • https://mariadb.com/kb/en/mariadb/encryption-plugins/ 7

  8. Concepts

  9. Concepts • Key ID • ID 1 for system data, like InnoDB redo logs, binary logs, etc • ID 2 (if available) for temporary data, like temporary files and temporary tables • Other Ids as configured when creating tables, etc. • Key Version (for rotation) • Encryption algorithm • Default AES_CBC • Support for these items may vary across plugins! 9

  10. InnoDB/XtraDB

  11. InnoDB/XtraDB • ON/OFF/FORCE • innodb-encrypt-tables = [ON | OFF | FORCE]; • Encrypt log • innodb-encrypt-log = [ON | OFF]; • Monitoring (IS) • innodb-tablespaces-scrubbing • innodb-tablespaces-encryption 11

  12. InnoDB/XtraDB • Optional background rotation • innodb-encryption-threads = n; • innodb-encryption-rotate-key-age= n; ” Age ” in key versions - • innodb-encryption-rotation-iops = n; • Optional data scrubbing • innodb-background-scrub-data-compressed = [ON | OFF]; • innodb-background-scrub-data-uncompressed = [ON | OFF]; • innodb-immediate-scrub-data-uncompressed = [ON | OFF]; • innodb-scrub-log = [ON|OFF]; • innodb-scrub-log-speed=n; • innodb-background-scrub-data-check-interval=n; https://mariadb.com/kb/en/mariadb/xtradb-innodb-data-scrubbing/ 12

  13. Encryption plugins

  14. Encryption plugins • File key management • https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/#file_key_management- plugin • AWS KMS plugin • https://mariadb.com/kb/en/mariadb/aws-key-management-encryption-plugin/ • Eperi plugin • http://eperi.de/en/products/database-encryption/ • Custom plugins to meet customer needs? 14

  15. File_key_management • Keys stored in a local file (note that this file could be on USB stick) • No support for key rotation/version • Key file itself can be encrypted (but used key in my.cnf) • Do you feel good having your encryption keys sitting next to your data ? 15

  16. Eperi plugin • Separate Eperi gateway software • Licenses and downloads from Eperi’s web portal • KMS • Plugin opens listener that the KMS connects to in order to authenticate the connecting MariaDB instance • Page encryption server • InnoDB actually sends pages to the Eperi gateway node to be encrypted! 16

  17. Amazon KMS Encryption Plugin

  18. AWS KMS Encryption Plugin • Amazon Web Services Key Management Service • CloadTrail & CloudWatch • Logging • Auditing • Notifications • Identity and Access Management (IAM) • Interesting possibilities • MFA for MariaDB startup • IAM roles to read keys • AWS logging & alerts 18

  19. Requirements • You need to sign up for Amazon Web Services • You need to create IAM user • MariaDB server will use these credentials to authenticate AWS server • You need to create a master encryption key • Used to encrypt the actual encryption keys that will be used by MariaDB • You will need to configure AWS credentials • You will need to configure MariaDB (naturally) 19

  20. AWS KMS Plugin • Writes enrypted keys to local disk • MariaDB must connect to KMS to decrypt keys - MariaDB startup - Creating a table that uses a new key • Supports key rotation • Limited platform support due to C++11 requirement of AWS SDK • Requires C++11 compiler: gcc4.7+, clang 3.3+ or VS2013+ • RHEL • CentOS 7 • ~600 lines • Great reference for people who want to write their own plugins 20

  21. Credentials Management • Identify and Access Management (IAM) policy for keys • Authorized source addresses • IAM users w/ restricted privileges • Multi-Factor Authentication (2FA/MFA) • AWS SDK • Config file, environment variables, etc. • Flexible wrapper program • EC2 (Elastic Compute Cloud) instance IAM role 21

  22. Configuration

  23. Install, enable, and configure $ cat /etc/my.cnf.d/aws_key_management.cnf [mariadb] plugin-load-add=aws_key_management.so aws-key-management aws-key-management-master-key-id = alieas/mariadb2 # aws_key_management_log_level = Trace ignore-db-dirs=.pki !include /etc/my.cnf.d/enable_encryption.preset 23

  24. Turn on encryption settings $ cat /etc/my.cnf.d/enable_encryption.preset [mariadb] aria-encrypt-tables encrypt-binlog encrypt-tmp-disk-tables encrypt-tmp-files loose-innodb-encrypt-log loose-innodb-encrypt-tables 24

  25. Encrypted system tablespace $ sudo – u mysql mysql_install_db … 2016-09-29 11:40:00 [Note] AWK KMS plugin: generated encrypted datakey for key id=1, version=1 2016-09-29 11:40:00 [Note] AWK KMS plugin: loaded key 1, version 1, key length 128 bit … 2016-09-29 11:40:01 [Note] AWK KMS plugin: generated encrypted datakey for key id=2, version=1 2016-09-29 11:40:01 [Note] AWK KMS plugin: loaded key 2, version 1, key length 128 bit 2016-09-29 11:40:01 [Note] Using encryption key id 2 for temporary files … 25

  26. Why encrypt data ? MariaDB [db]> create table client_credit_card(id int not null primary key, credit_card varchar(20)) engine=innodb encrypted=no ; MariaDB [db]> insert into client_credit_cards values (20071992, ’5275 -0000- 0000- 0000’): … $ sudo strings /var/lib/mysql/db/client_credit_cards.ibd infimum supremum 5275-0000-0000-0000 26

  27. Automatic key generation MariaDB [db]> create table client_credit_card(id int not null primary key, credit_card varchar(20)) engine=innodb encrypted=yes encryption_key_id=3 ; MariaDB [db]> insert into client_credit_card values (20071992, ’5275 -0000-0000- 0000’): … $ sudo strings /var/lib/mysql/db/client_credit_card.ibd {7fgh k6klj B_0= … 27

  28. I_S table for encryption info MariaDB [(none)]> select * from information_schema.innodb_tablespaces_encryption where name='db/client_credit_card'\G *************************** 1. row *************************** SPACE: 6 NAME: db/client_credit_card ENCRYPTION_SCHEME: 1 KEYSERVER_REQUESTS: 1 MIN_KEY_VERSION: 1 CURRENT_KEY_VERSION: 1 KEY_ROTATION_PAGE_NUMBER: NULL KEY_ROTATION_MAX_PAGE_NUMBER: NULL CURRENT_KEY_ID: 3 1 row in set (0.00 sec) 28

  29. Key rotation MariaDB [(none)]> show variables like 'aws%'; +----------------------------------+----------------+ | Variable_name | Value | +----------------------------------+----------------+ | aws_key_management_key_spec | AES_128 | | aws_key_management_log_level | Off | | aws_key_management_master_key_id | alias/mariadb2 | | aws_key_management_rotate_key | 0 | +----------------------------------+----------------+ 4 rows in set (0.00 sec) MariaDB [(none)]> set global aws_key_management_rotate_key=3; Query OK, 0 rows affected (0.27 sec) 29

  30. Key rotation MariaDB [db]> set global innodb_encryption_threads=4; Query OK, 0 rows affected (0.00 sec) MariaDB [db]> set global innodb_encryption_rotate_key_age=0; Query OK, 0 rows affected (0.00 sec) MariaDB [db]> select * from information_schema.innodb_tablespaces_encryption where name like 'db/c%'\G *************************** 1. row *************************** SPACE: 6 NAME: db/client_credit_card ENCRYPTION_SCHEME: 1 KEYSERVER_REQUESTS: 2 MIN_KEY_VERSION: 2 CURRENT_KEY_VERSION: 2 KEY_ROTATION_PAGE_NUMBER: NULL KEY_ROTATION_MAX_PAGE_NUMBER: NULL CURRENT_KEY_ID: 3 1 row in set (0.00 sec) 30

  31. Documentation • https://mariadb.com/kb/en/mariadb-enterprise/mariadb-enterprise-aws-kms- encryption-plugin-setup-guide/ • https://mariadb.com/kb/en/mariadb-enterprise/mariadb-enterprise-aws-kms- encryption-plugin-advanced-usage/ • https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/ • https://mariadb.com/kb/en/mariadb/xtradb-innodb-data-scrubbing/ 31

  32. Q/A

Recommend

Relational Document Time Series Amazon Aurora Amazon DocumentDB Amazon Timestream Graph

Relational Document Time Series Amazon Aurora Amazon DocumentDB Amazon Timestream Graph

Relational Document Time Series Amazon Aurora Amazon DocumentDB Amazon Timestream Graph Key-value Amazon RedShi Amazon Neptune Amazon DynamoDB Amazon RDS Ledger In-memory Amazon Quantum AWS Database Migration Amazon ElastiCache

612 views • 6 slides
Instance Support Elastic Load Balancing Amazon EC2 AWS Elastic Beanstalk Amazon EC2 Container

Instance Support Elastic Load Balancing Amazon EC2 AWS Elastic Beanstalk Amazon EC2 Container

Instance Support Elastic Load Balancing Amazon EC2 AWS Elastic Beanstalk Amazon EC2 Container Amazon ECS VMWare Cloud on AWS Registry Amazon Lightsail AWS Outposts AWS Batch Container Functions (Serverless Compute) Amazon ECS* AWS

347 views • 15 slides
ISTA 6-Amazon Packaging Solutions 1 Table of Contents o Introduction to E-Commerce & Amazon

ISTA 6-Amazon Packaging Solutions 1 Table of Contents o Introduction to E-Commerce & Amazon

ISTA 6-Amazon Packaging Solutions 1 Table of Contents o Introduction to E-Commerce & Amazon o Amazon Fulfillment Process & Requirements o Amazon Tier Certification Types o About the APASS Network o ISTA-6 Testing Information o Common

747 views • 35 slides
Business Process Management: Amazon MIS 460 IT Strategy Group 1: Caitlin Chamberlain, Andrea

Business Process Management: Amazon MIS 460 IT Strategy Group 1: Caitlin Chamberlain, Andrea

Business Process Management: Amazon MIS 460 IT Strategy Group 1: Caitlin Chamberlain, Andrea Dragoni, Julie Payton, Sammi Devlin, Marlana Perillo Gentile, Jasmine Mina, and Akash Bajaj History of BPM 1980s -- Total Quality Management

680 views • 28 slides
AWS Key Management Service (KMS) Handlin ing cry ryptographic ic bounds for use of AES-GCM

AWS Key Management Service (KMS) Handlin ing cry ryptographic ic bounds for use of AES-GCM

AWS Key Management Service (KMS) Handlin ing cry ryptographic ic bounds for use of AES-GCM Matthew Campagna Shay Gueron Amazon Web Services Amazon Web Services University of Haifa 1 Outline The AWS Key Management Service

2.63k views • 25 slides
Me vs BigQuery CEO @ Applications Databases Files Stripe Asana Instagram Amazon Aurora

Me vs BigQuery CEO @ Applications Databases Files Stripe Asana Instagram Amazon Aurora

Data Warehouse Benchmark: Redshift vs Snowflake Me vs BigQuery CEO @ Applications Databases Files Stripe Asana Instagram Amazon Aurora Amazon Cloudfront Xero Bing Ads Intercom Amazon RDS Amazon Kinesis Firehose Zendesk Braintree

718 views • 25 slides
The Amazon effect Amazon vs Walmart Market Cap 2008-2018 $1,000 $900 $800 $700 $600 USD

The Amazon effect Amazon vs Walmart Market Cap 2008-2018 $1,000 $900 $800 $700 $600 USD

The Amazon effect Amazon vs Walmart Market Cap 2008-2018 $1,000 $900 $800 $700 $600 USD Billion $500 $400 $300 $200 $100 $0 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Walmart Amazon Amazons market cap has

554 views • 4 slides
Machine Learning @ Amazon Ralf Herbrich Amazon 6/29/17 1 Overview Machine Learning in

Machine Learning @ Amazon Ralf Herbrich Amazon 6/29/17 1 Overview Machine Learning in

Machine Learning @ Amazon Ralf Herbrich Amazon 6/29/17 1 Overview Machine Learning in Practise Probabilities Finite Resource Machine Learning @ Amazon Forecasting Machine Translation Visual Systems Conclusions

348 views • 34 slides
amazon.coms Journey to the Cloud John Rauser - @jrauser

amazon.coms Journey to the Cloud John Rauser - @jrauser

amazon.coms Journey to the Cloud John Rauser - @jrauser QConSF - November 2011 Amazon Retail != Amazon Web Services Amazon Retail is a

2k views • 163 slides
Build a Mini-Amazon-Go in 1 Day Nov 2019 Zhi Zhang, Rachel Hu Amazon AI d2l.ai Outline

Build a Mini-Amazon-Go in 1 Day Nov 2019 Zhi Zhang, Rachel Hu Amazon AI d2l.ai Outline

Build a Mini-Amazon-Go in 1 Day Nov 2019 Zhi Zhang, Rachel Hu Amazon AI d2l.ai Outline Initiate the work-horse(SageMaker notebook) Showcase a demo from the noob Sampling real-world data Hello world for object labeling

279 views • 12 slides
VMD & NAMD on Elastic Compute Cloud (EC2) instance of Amazon Web Services (AWS) Start VMD

VMD & NAMD on Elastic Compute Cloud (EC2) instance of Amazon Web Services (AWS) Start VMD

VMD & NAMD on Elastic Compute Cloud (EC2) instance of Amazon Web Services (AWS) Start VMD & NAMD AMI (once you have created your AWS account) AMI - Amazon Machine Image Amazon Marketplace - https://aws.amazon.com/marketplace/ Search for

709 views • 36 slides
Relational Amazon Aurora Amazon RedShi f Amazon RDS AWS Database Migration Service DMS

Relational Amazon Aurora Amazon RedShi f Amazon RDS AWS Database Migration Service DMS

Relational Amazon Aurora Amazon RedShi f Amazon RDS AWS Database Migration Service DMS Relational Document Amazon Aurora Amazon DocumentDB Amazon RedShi f Amazon RDS AWS Database Migration Service DMS Relational Document Amazon

761 views • 11 slides
AMZ A different kind of Amazon Agency CONTROLLING 1 4 PARTNERS AND CLIENTS CONTENTS T HE AMAZON

AMZ A different kind of Amazon Agency CONTROLLING 1 4 PARTNERS AND CLIENTS CONTENTS T HE AMAZON

COMPANY PRESENTATION AMZ A different kind of Amazon Agency CONTROLLING 1 4 PARTNERS AND CLIENTS CONTENTS T HE AMAZON CHALLENGE Our partners Your digital business card Customer feedback 2 T HE AMZ CONTROLLING 5 OWN PRODUCTS AND PROJECTS

451 views • 13 slides
Alpha Presentation Amazon Customer Review Analyzer The Capstone Experience Team Amazon Ian

Alpha Presentation Amazon Customer Review Analyzer The Capstone Experience Team Amazon Ian

Alpha Presentation Amazon Customer Review Analyzer The Capstone Experience Team Amazon Ian Whalen Ankit Luthra Tess Huelskamp Jason Liu Jie Wan Department of Computer Science and Engineering Michigan State University Spring 2017 From

264 views • 8 slides
Amazon Protocol A strategy for dealing with the current epidemics among the indigenous people of

Amazon Protocol A strategy for dealing with the current epidemics among the indigenous people of

Amazon Protocol A strategy for dealing with the current epidemics among the indigenous people of the Amazon rain forest. Amazon Protocol Disclaimer I, Michael Stuart Ani, am not a medical physician or scientific authority on the Covid-19

386 views • 19 slides
Isolated generation systems in Amazon, real situation and challenges to transform the Amazon

Isolated generation systems in Amazon, real situation and challenges to transform the Amazon

Isolated generation systems in Amazon, real situation and challenges to transform the Amazon into a diesel-free environment Brazil Country Overview Brazil Economy Source: Climate Transparency - Brown to Green Report 2019. 3 Brazil

635 views • 41 slides
Amazon Book Sleuth Comprehensive Book History Referral and Comparison App Yang Guo, Crystal Yang,

Amazon Book Sleuth Comprehensive Book History Referral and Comparison App Yang Guo, Crystal Yang,

Amazon Book Sleuth Comprehensive Book History Referral and Comparison App Yang Guo, Crystal Yang, Yaqi Zhang Overview Amazon books poor data quality Books with multiple editions Amazon extension: Amazon book sleuth Problems of

410 views • 17 slides
Project Plan AVAST: Amazon Video and Shopping Technology The Capstone Experience Team Amazon

Project Plan AVAST: Amazon Video and Shopping Technology The Capstone Experience Team Amazon

Project Plan AVAST: Amazon Video and Shopping Technology The Capstone Experience Team Amazon Linshawn Fang Patrick McCormick Ian McGregor Ben Nwachukwu Han Wang Department of Computer Science and Engineering Michigan State University Fall

651 views • 12 slides
Beta Presentation Amazon Data Hub The Capstone Experience Team Amazon Josh Barnett Austin

Beta Presentation Amazon Data Hub The Capstone Experience Team Amazon Josh Barnett Austin

Beta Presentation Amazon Data Hub The Capstone Experience Team Amazon Josh Barnett Austin Cozzo Dan Farat Cameron Nejman Robert Ramirez Department of Computer Science and Engineering Michigan State University Spring 20 From Students

367 views • 9 slides
Alpha Presentation Amazon Data Hub The Capstone Experience Team Amazon Joshua Barnett Austin

Alpha Presentation Amazon Data Hub The Capstone Experience Team Amazon Joshua Barnett Austin

Alpha Presentation Amazon Data Hub The Capstone Experience Team Amazon Joshua Barnett Austin Cozzo Dan Farat Cameron Nejman Robert Ramirez Department of Computer Science and Engineering Michigan State University From Students Spring

335 views • 9 slides
Project Plan Twitter Trending Effects on Amazon Sellers The Capstone Experience Team Amazon

Project Plan Twitter Trending Effects on Amazon Sellers The Capstone Experience Team Amazon

Project Plan Twitter Trending Effects on Amazon Sellers The Capstone Experience Team Amazon Michael Chouinard Erin Hoffman Caitlin McDonald Paul Stanos Justin Vrooman Department of Computer Science and Engineering Michigan State University

487 views • 12 slides
Project Plan Amazon Customer Review Analyzer The Capstone Experience Team Amazon Ian Whalen

Project Plan Amazon Customer Review Analyzer The Capstone Experience Team Amazon Ian Whalen

Project Plan Amazon Customer Review Analyzer The Capstone Experience Team Amazon Ian Whalen Jie Wan Tess Huelskamp Jason Liu Ankit Luthra Department of Computer Science and Engineering Michigan State University Spring 2017 From

382 views • 12 slides
Beta Presentation Amazon Customer Review Analyzer The Capstone Experience Team Amazon Tess

Beta Presentation Amazon Customer Review Analyzer The Capstone Experience Team Amazon Tess

Beta Presentation Amazon Customer Review Analyzer The Capstone Experience Team Amazon Tess Huelskamp Ian Whalen Jie Wan Ankit Luthra Jason Liu Department of Computer Science and Engineering Michigan State University Spring 2017 From

442 views • 11 slides
Innovation at AWS Eric Ferreira ericfe@amazon.com Principal Database Engineer Amazon Redshift

Innovation at AWS Eric Ferreira ericfe@amazon.com Principal Database Engineer Amazon Redshift

Innovation at AWS Eric Ferreira ericfe@amazon.com Principal Database Engineer Amazon Redshift The Amazon Flywheel Focus on things that stay the same Price Selection Delivery Applying this at AWS Focus on things that stay the same

687 views • 67 slides

More recommend