using amazon key management
play

using Amazon Key Management Service Jan Lindstrm, Principal - PowerPoint PPT Presentation

Jan 31, 2024 •459 likes •795 views

Transparent tablespace and log encryption on MariaDB 10.1 using Amazon Key Management Service Jan Lindstrm, Principal Engineer, MariaDB Corporation Amsterdam, Netherlands | October 5, 2016 Agenda 1. Introduction 2. Concepts 3.

  1. Transparent tablespace and log encryption on MariaDB 10.1 using Amazon Key Management Service Jan Lindström, Principal Engineer, MariaDB Corporation Amsterdam, Netherlands | October 5, 2016

  2. Agenda 1. Introduction 2. Concepts 3. InnoDB/XtraDB 4. Encryption Plugins 5. Amazon AWS KMS 6. Configuration 2

  3. Introduction

  4. What is transparent encryption? • Transparent to application • Application does’t know anything about keys, algorithm, etc • Anyone that can connect to MariaDB can dump data • Not data-in-transit encryption (SSL/TLS) • Not per-column encryption • Not application-side encryption • No encryption functions needed (AES_ENCRYPT()) 4

  5. All data written to disk should be encrypted • InnoDB tablespaces (per-file and system) • InnoDB log files • Aria tables • Temporary files • Temporary tables • Binary log • No mysqlbinlog, though! 5

  6. What’s missing? • Aria logs • Audit log • Error log • Slow query log • General query log • MyISAM tables • CONNECT, CSV, et. Al. • Galera gcache 6

  7. Implementation • MariaDB has a new interface for encryption plugins • Key management • Encryption/decryption • Implemented co-operation together with Google and Eperi • https://mariadb.com/kb/en/mariadb/encryption-plugins/ 7

  8. Concepts

  9. Concepts • Key ID • ID 1 for system data, like InnoDB redo logs, binary logs, etc • ID 2 (if available) for temporary data, like temporary files and temporary tables • Other Ids as configured when creating tables, etc. • Key Version (for rotation) • Encryption algorithm • Default AES_CBC • Support for these items may vary across plugins! 9

  10. InnoDB/XtraDB

  11. InnoDB/XtraDB • ON/OFF/FORCE • innodb-encrypt-tables = [ON | OFF | FORCE]; • Encrypt log • innodb-encrypt-log = [ON | OFF]; • Monitoring (IS) • innodb-tablespaces-scrubbing • innodb-tablespaces-encryption 11

  12. InnoDB/XtraDB • Optional background rotation • innodb-encryption-threads = n; • innodb-encryption-rotate-key-age= n; ” Age ” in key versions - • innodb-encryption-rotation-iops = n; • Optional data scrubbing • innodb-background-scrub-data-compressed = [ON | OFF]; • innodb-background-scrub-data-uncompressed = [ON | OFF]; • innodb-immediate-scrub-data-uncompressed = [ON | OFF]; • innodb-scrub-log = [ON|OFF]; • innodb-scrub-log-speed=n; • innodb-background-scrub-data-check-interval=n; https://mariadb.com/kb/en/mariadb/xtradb-innodb-data-scrubbing/ 12

  13. Encryption plugins

  14. Encryption plugins • File key management • https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/#file_key_management- plugin • AWS KMS plugin • https://mariadb.com/kb/en/mariadb/aws-key-management-encryption-plugin/ • Eperi plugin • http://eperi.de/en/products/database-encryption/ • Custom plugins to meet customer needs? 14

  15. File_key_management • Keys stored in a local file (note that this file could be on USB stick) • No support for key rotation/version • Key file itself can be encrypted (but used key in my.cnf) • Do you feel good having your encryption keys sitting next to your data ? 15

  16. Eperi plugin • Separate Eperi gateway software • Licenses and downloads from Eperi’s web portal • KMS • Plugin opens listener that the KMS connects to in order to authenticate the connecting MariaDB instance • Page encryption server • InnoDB actually sends pages to the Eperi gateway node to be encrypted! 16

  17. Amazon KMS Encryption Plugin

  18. AWS KMS Encryption Plugin • Amazon Web Services Key Management Service • CloadTrail & CloudWatch • Logging • Auditing • Notifications • Identity and Access Management (IAM) • Interesting possibilities • MFA for MariaDB startup • IAM roles to read keys • AWS logging & alerts 18

  19. Requirements • You need to sign up for Amazon Web Services • You need to create IAM user • MariaDB server will use these credentials to authenticate AWS server • You need to create a master encryption key • Used to encrypt the actual encryption keys that will be used by MariaDB • You will need to configure AWS credentials • You will need to configure MariaDB (naturally) 19

  20. AWS KMS Plugin • Writes enrypted keys to local disk • MariaDB must connect to KMS to decrypt keys - MariaDB startup - Creating a table that uses a new key • Supports key rotation • Limited platform support due to C++11 requirement of AWS SDK • Requires C++11 compiler: gcc4.7+, clang 3.3+ or VS2013+ • RHEL • CentOS 7 • ~600 lines • Great reference for people who want to write their own plugins 20

  21. Credentials Management • Identify and Access Management (IAM) policy for keys • Authorized source addresses • IAM users w/ restricted privileges • Multi-Factor Authentication (2FA/MFA) • AWS SDK • Config file, environment variables, etc. • Flexible wrapper program • EC2 (Elastic Compute Cloud) instance IAM role 21

  22. Configuration

  23. Install, enable, and configure $ cat /etc/my.cnf.d/aws_key_management.cnf [mariadb] plugin-load-add=aws_key_management.so aws-key-management aws-key-management-master-key-id = alieas/mariadb2 # aws_key_management_log_level = Trace ignore-db-dirs=.pki !include /etc/my.cnf.d/enable_encryption.preset 23

  24. Turn on encryption settings $ cat /etc/my.cnf.d/enable_encryption.preset [mariadb] aria-encrypt-tables encrypt-binlog encrypt-tmp-disk-tables encrypt-tmp-files loose-innodb-encrypt-log loose-innodb-encrypt-tables 24

  25. Encrypted system tablespace $ sudo – u mysql mysql_install_db … 2016-09-29 11:40:00 [Note] AWK KMS plugin: generated encrypted datakey for key id=1, version=1 2016-09-29 11:40:00 [Note] AWK KMS plugin: loaded key 1, version 1, key length 128 bit … 2016-09-29 11:40:01 [Note] AWK KMS plugin: generated encrypted datakey for key id=2, version=1 2016-09-29 11:40:01 [Note] AWK KMS plugin: loaded key 2, version 1, key length 128 bit 2016-09-29 11:40:01 [Note] Using encryption key id 2 for temporary files … 25

  26. Why encrypt data ? MariaDB [db]> create table client_credit_card(id int not null primary key, credit_card varchar(20)) engine=innodb encrypted=no ; MariaDB [db]> insert into client_credit_cards values (20071992, ’5275 -0000- 0000- 0000’): … $ sudo strings /var/lib/mysql/db/client_credit_cards.ibd infimum supremum 5275-0000-0000-0000 26

  27. Automatic key generation MariaDB [db]> create table client_credit_card(id int not null primary key, credit_card varchar(20)) engine=innodb encrypted=yes encryption_key_id=3 ; MariaDB [db]> insert into client_credit_card values (20071992, ’5275 -0000-0000- 0000’): … $ sudo strings /var/lib/mysql/db/client_credit_card.ibd {7fgh k6klj B_0= … 27

  28. I_S table for encryption info MariaDB [(none)]> select * from information_schema.innodb_tablespaces_encryption where name='db/client_credit_card'\G *************************** 1. row *************************** SPACE: 6 NAME: db/client_credit_card ENCRYPTION_SCHEME: 1 KEYSERVER_REQUESTS: 1 MIN_KEY_VERSION: 1 CURRENT_KEY_VERSION: 1 KEY_ROTATION_PAGE_NUMBER: NULL KEY_ROTATION_MAX_PAGE_NUMBER: NULL CURRENT_KEY_ID: 3 1 row in set (0.00 sec) 28

  29. Key rotation MariaDB [(none)]> show variables like 'aws%'; +----------------------------------+----------------+ | Variable_name | Value | +----------------------------------+----------------+ | aws_key_management_key_spec | AES_128 | | aws_key_management_log_level | Off | | aws_key_management_master_key_id | alias/mariadb2 | | aws_key_management_rotate_key | 0 | +----------------------------------+----------------+ 4 rows in set (0.00 sec) MariaDB [(none)]> set global aws_key_management_rotate_key=3; Query OK, 0 rows affected (0.27 sec) 29

  30. Key rotation MariaDB [db]> set global innodb_encryption_threads=4; Query OK, 0 rows affected (0.00 sec) MariaDB [db]> set global innodb_encryption_rotate_key_age=0; Query OK, 0 rows affected (0.00 sec) MariaDB [db]> select * from information_schema.innodb_tablespaces_encryption where name like 'db/c%'\G *************************** 1. row *************************** SPACE: 6 NAME: db/client_credit_card ENCRYPTION_SCHEME: 1 KEYSERVER_REQUESTS: 2 MIN_KEY_VERSION: 2 CURRENT_KEY_VERSION: 2 KEY_ROTATION_PAGE_NUMBER: NULL KEY_ROTATION_MAX_PAGE_NUMBER: NULL CURRENT_KEY_ID: 3 1 row in set (0.00 sec) 30

  31. Documentation • https://mariadb.com/kb/en/mariadb-enterprise/mariadb-enterprise-aws-kms- encryption-plugin-setup-guide/ • https://mariadb.com/kb/en/mariadb-enterprise/mariadb-enterprise-aws-kms- encryption-plugin-advanced-usage/ • https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/ • https://mariadb.com/kb/en/mariadb/xtradb-innodb-data-scrubbing/ 31

  32. Q/A

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Relational Document Time Series Amazon Aurora Amazon DocumentDB Amazon Timestream Graph

Relational Document Time Series Amazon Aurora Amazon DocumentDB Amazon Timestream Graph

Relational Document Time Series Amazon Aurora Amazon DocumentDB Amazon Timestream Graph Key-value Amazon RedShi Amazon Neptune Amazon DynamoDB Amazon RDS Ledger In-memory Amazon Quantum AWS Database Migration Amazon ElastiCache

612 views • 6 slides
Instance Support Elastic Load Balancing Amazon EC2 AWS Elastic Beanstalk Amazon EC2 Container

Instance Support Elastic Load Balancing Amazon EC2 AWS Elastic Beanstalk Amazon EC2 Container

Instance Support Elastic Load Balancing Amazon EC2 AWS Elastic Beanstalk Amazon EC2 Container Amazon ECS VMWare Cloud on AWS Registry Amazon Lightsail AWS Outposts AWS Batch Container Functions (Serverless Compute) Amazon ECS* AWS

347 views • 15 slides
ISTA 6-Amazon Packaging Solutions 1 Table of Contents o Introduction to E-Commerce & Amazon

ISTA 6-Amazon Packaging Solutions 1 Table of Contents o Introduction to E-Commerce & Amazon

ISTA 6-Amazon Packaging Solutions 1 Table of Contents o Introduction to E-Commerce & Amazon o Amazon Fulfillment Process & Requirements o Amazon Tier Certification Types o About the APASS Network o ISTA-6 Testing Information o Common

747 views • 35 slides
Business Process Management: Amazon MIS 460 IT Strategy Group 1: Caitlin Chamberlain, Andrea

Business Process Management: Amazon MIS 460 IT Strategy Group 1: Caitlin Chamberlain, Andrea

Business Process Management: Amazon MIS 460 IT Strategy Group 1: Caitlin Chamberlain, Andrea Dragoni, Julie Payton, Sammi Devlin, Marlana Perillo Gentile, Jasmine Mina, and Akash Bajaj History of BPM 1980s -- Total Quality Management

680 views • 28 slides
AWS Key Management Service (KMS) Handlin ing cry ryptographic ic bounds for use of AES-GCM

AWS Key Management Service (KMS) Handlin ing cry ryptographic ic bounds for use of AES-GCM

AWS Key Management Service (KMS) Handlin ing cry ryptographic ic bounds for use of AES-GCM Matthew Campagna Shay Gueron Amazon Web Services Amazon Web Services University of Haifa 1 Outline The AWS Key Management Service

2.63k views • 25 slides
Me vs BigQuery CEO @ Applications Databases Files Stripe Asana Instagram Amazon Aurora

Me vs BigQuery CEO @ Applications Databases Files Stripe Asana Instagram Amazon Aurora

Data Warehouse Benchmark: Redshift vs Snowflake Me vs BigQuery CEO @ Applications Databases Files Stripe Asana Instagram Amazon Aurora Amazon Cloudfront Xero Bing Ads Intercom Amazon RDS Amazon Kinesis Firehose Zendesk Braintree

718 views • 25 slides
The Amazon effect Amazon vs Walmart Market Cap 2008-2018 $1,000 $900 $800 $700 $600 USD

The Amazon effect Amazon vs Walmart Market Cap 2008-2018 $1,000 $900 $800 $700 $600 USD

The Amazon effect Amazon vs Walmart Market Cap 2008-2018 $1,000 $900 $800 $700 $600 USD Billion $500 $400 $300 $200 $100 $0 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Walmart Amazon Amazons market cap has

554 views • 4 slides
Machine Learning @ Amazon Ralf Herbrich Amazon 6/29/17 1 Overview Machine Learning in

Machine Learning @ Amazon Ralf Herbrich Amazon 6/29/17 1 Overview Machine Learning in

Machine Learning @ Amazon Ralf Herbrich Amazon 6/29/17 1 Overview Machine Learning in Practise Probabilities Finite Resource Machine Learning @ Amazon Forecasting Machine Translation Visual Systems Conclusions

348 views • 34 slides
amazon.coms Journey to the Cloud John Rauser - @jrauser

amazon.coms Journey to the Cloud John Rauser - @jrauser

amazon.coms Journey to the Cloud John Rauser - @jrauser QConSF - November 2011 Amazon Retail != Amazon Web Services Amazon Retail is a

2k views • 163 slides
Build a Mini-Amazon-Go in 1 Day Nov 2019 Zhi Zhang, Rachel Hu Amazon AI d2l.ai Outline

Build a Mini-Amazon-Go in 1 Day Nov 2019 Zhi Zhang, Rachel Hu Amazon AI d2l.ai Outline

Build a Mini-Amazon-Go in 1 Day Nov 2019 Zhi Zhang, Rachel Hu Amazon AI d2l.ai Outline Initiate the work-horse(SageMaker notebook) Showcase a demo from the noob Sampling real-world data Hello world for object labeling

279 views • 12 slides
VMD & NAMD on Elastic Compute Cloud (EC2) instance of Amazon Web Services (AWS) Start VMD

VMD & NAMD on Elastic Compute Cloud (EC2) instance of Amazon Web Services (AWS) Start VMD

VMD & NAMD on Elastic Compute Cloud (EC2) instance of Amazon Web Services (AWS) Start VMD & NAMD AMI (once you have created your AWS account) AMI - Amazon Machine Image Amazon Marketplace - https://aws.amazon.com/marketplace/ Search for

709 views • 36 slides
Relational Amazon Aurora Amazon RedShi f Amazon RDS AWS Database Migration Service DMS

Relational Amazon Aurora Amazon RedShi f Amazon RDS AWS Database Migration Service DMS

Relational Amazon Aurora Amazon RedShi f Amazon RDS AWS Database Migration Service DMS Relational Document Amazon Aurora Amazon DocumentDB Amazon RedShi f Amazon RDS AWS Database Migration Service DMS Relational Document Amazon

761 views • 11 slides
AMZ A different kind of Amazon Agency CONTROLLING 1 4 PARTNERS AND CLIENTS CONTENTS T HE AMAZON

AMZ A different kind of Amazon Agency CONTROLLING 1 4 PARTNERS AND CLIENTS CONTENTS T HE AMAZON

COMPANY PRESENTATION AMZ A different kind of Amazon Agency CONTROLLING 1 4 PARTNERS AND CLIENTS CONTENTS T HE AMAZON CHALLENGE Our partners Your digital business card Customer feedback 2 T HE AMZ CONTROLLING 5 OWN PRODUCTS AND PROJECTS

451 views • 13 slides
Alpha Presentation Amazon Customer Review Analyzer The Capstone Experience Team Amazon Ian

Alpha Presentation Amazon Customer Review Analyzer The Capstone Experience Team Amazon Ian

Alpha Presentation Amazon Customer Review Analyzer The Capstone Experience Team Amazon Ian Whalen Ankit Luthra Tess Huelskamp Jason Liu Jie Wan Department of Computer Science and Engineering Michigan State University Spring 2017 From

264 views • 8 slides
Amazon Protocol A strategy for dealing with the current epidemics among the indigenous people of

Amazon Protocol A strategy for dealing with the current epidemics among the indigenous people of

Amazon Protocol A strategy for dealing with the current epidemics among the indigenous people of the Amazon rain forest. Amazon Protocol Disclaimer I, Michael Stuart Ani, am not a medical physician or scientific authority on the Covid-19

386 views • 19 slides
Isolated generation systems in Amazon, real situation and challenges to transform the Amazon

Isolated generation systems in Amazon, real situation and challenges to transform the Amazon

Isolated generation systems in Amazon, real situation and challenges to transform the Amazon into a diesel-free environment Brazil Country Overview Brazil Economy Source: Climate Transparency - Brown to Green Report 2019. 3 Brazil

635 views • 41 slides
STAT 113: FINAL EXAM PRACTICE PROBLEMS COLIN REIMER DAWSON, FALL 2015 Research Design /

STAT 113: FINAL EXAM PRACTICE PROBLEMS COLIN REIMER DAWSON, FALL 2015 Research Design /

STAT 113: FINAL EXAM PRACTICE PROBLEMS COLIN REIMER DAWSON, FALL 2015 Research Design / Describing Samples. (1) The following measures can be used to describe distributions (either population or sample distributions). For each one describe

239 views • 8 slides
NLU lecture 6: Compositional character representations Adam Lopez alopez@inf.ed.ac.uk Credits:

NLU lecture 6: Compositional character representations Adam Lopez alopez@inf.ed.ac.uk Credits:

NLU lecture 6: Compositional character representations Adam Lopez alopez@inf.ed.ac.uk Credits: Clara Vania 2 Feb 2018 Lets revisit an assumption in language modeling (& word2vec) When does this assumption make sense for language

801 views • 66 slides
Shell Scripting Dalhousie University Winter 2019 Reading Glass and Ables, Chapter 8: bash Your

Shell Scripting Dalhousie University Winter 2019 Reading Glass and Ables, Chapter 8: bash Your

CSCI 2132: Software Development Norbert Zeh Faculty of Computer Science Shell Scripting Dalhousie University Winter 2019 Reading Glass and Ables, Chapter 8: bash Your Shell vs Your File Manager File manager Easy and intuitive to use

267 views • 25 slides
Cutting MapReduce Cost with Spot Market Huan Liu Accenture Technology Labs Why spot market? 2

Cutting MapReduce Cost with Spot Market Huan Liu Accenture Technology Labs Why spot market? 2

Cutting MapReduce Cost with Spot Market Huan Liu Accenture Technology Labs Why spot market? 2 Challenge with Spot Market 3 Cloud MapReduce Hadoop Our prior work MapReduce App MapReduce App Cloud MapReduce Hadoop Cloud OS Amazon

185 views • 7 slides
1 CephFS fsck: Distributed Filesystem Checking Hi, Im Greg Greg Farnum CephFS Tech Lead,

1 CephFS fsck: Distributed Filesystem Checking Hi, Im Greg Greg Farnum CephFS Tech Lead,

1 CephFS fsck: Distributed Filesystem Checking Hi, Im Greg Greg Farnum CephFS Tech Lead, Red Hat gfarnum@redhat.com Been working as a core Ceph developer since June 2009 3 4 What is Ceph? An awesome, software-based, scalable,

1.01k views • 83 slides
ASSENT COMPLIANCE Building a Conflict Minerals Program 2015/16 info@assentcompliance.com |

ASSENT COMPLIANCE Building a Conflict Minerals Program 2015/16 info@assentcompliance.com |

ASSENT COMPLIANCE Building a Conflict Minerals Program 2015/16 info@assentcompliance.com | www.assentcompliance.com | TEL: 1(866)964.6931 1 About Assent: Your Partner For info@assentcompliance.com |

347 views • 16 slides
Implementing a Simple SMF Service: Lessons Learned OSDevCon09, October 30th, 2009 Constantin

Implementing a Simple SMF Service: Lessons Learned OSDevCon09, October 30th, 2009 Constantin

Implementing a Simple SMF Service: Lessons Learned OSDevCon09, October 30th, 2009 Constantin Gonzalez Principal Field Technologist Sun Microsystems Germany Goals Make ZFS pool hygiene a 1-click experience Implement a simple SMF

582 views • 39 slides
Copy On Write (COW) allows for atomic transactions without a separate journal Snapshots

Copy On Write (COW) allows for atomic transactions without a separate journal Snapshots

So, why am I talking about Btrfs? I've been using linux and its different filesystems since 1993 I've have been using ext2/ext3/ext4 for 20 years. But I worked at Network Appliance in 1997, and I've grown hooked to snapshots. LVM

478 views • 45 slides

More recommend