ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Encryption hauv MySQL: Keystore

Encryption hauv MySQL: Keystore

Nyob rau hauv kev cia siab ntawm qhov pib ntawm qhov kev tso npe tshiab rau chav kawm "Database" Peb tau npaj ib qho kev txhais lus ntawm ib tsab xov xwm muaj txiaj ntsig rau koj.

Encryption hauv MySQL: Keystore

Transparent Data Encryption (TDE) tau tshwm sim hauv Percona Server rau MySQL thiab MySQL rau qee lub sijhawm. Tab sis koj puas tau xav txog yuav ua li cas nws ua haujlwm hauv qab hood thiab dab tsi cuam tshuam TDE tuaj yeem cuam tshuam rau koj lub server? Hauv cov kab lus no peb yuav saib seb TDE ua haujlwm li cas sab hauv. Cia peb pib nrog qhov tseem ceeb cia, vim qhov no yuav tsum muaj rau txhua qhov encryption ua haujlwm. Tom qab ntawd peb yuav ua tib zoo saib seb qhov encryption ua haujlwm li cas hauv Percona Server rau MySQL / MySQL thiab dab tsi ntxiv nta Percona Server rau MySQL muaj.

MySQL Keyring

Keyring yog plugins uas tso cai rau tus neeg rau zaub mov nug, tsim, thiab tshem tawm cov yuam sij hauv cov ntaub ntawv hauv zos (keyring_file) lossis ntawm cov chaw taws teeb tswj (xws li HashiCorp Vault). Cov yuam sij yeej ib txwm cached hauv zos kom ceev lawv rov qab.

Plugins tuaj yeem muab faib ua ob pawg:

  • Hauv zos cia. Piv txwv li, cov ntaub ntawv hauv zos (peb hu qhov no yog cov ntaub ntawv raws li keyring).
  • Chaw taws teeb cia. Piv txwv li, Vault Server (peb hu qhov no server-based keyring).

Qhov kev sib cais no yog qhov tseem ceeb vim tias ntau hom kev khaws cia coj txawv me ntsis, tsis yog thaum khaws thiab khaws cov yuam sij, tab sis kuj thaum khiav lawv.

Thaum siv cov ntaub ntawv khaws cia, thaum pib, tag nrho cov ntsiab lus ntawm qhov chaw cia yog thauj mus rau hauv cache: tus lej ID, tus neeg siv tseem ceeb, hom tseem ceeb, thiab tus yuam sij nws tus kheej.

Nyob rau hauv cov ntaub ntawv ntawm lub khw-raws li servers (xws li Vault Server), tsuas yog tus yuam sij id thiab tus neeg siv tseem ceeb tau thauj khoom thaum pib, yog li tau txais tag nrho cov yuam sij tsis ua rau pib qeeb. Cov yuam sij yog loaded lazily. Ntawd yog, tus yuam sij nws tus kheej tau thauj khoom los ntawm Vault tsuas yog thaum nws xav tau tiag tiag. Thaum rub tawm, tus yuam sij yog cached hauv nco kom nws tsis tas yuav nkag mus los ntawm TLS kev sib txuas rau Vault Server yav tom ntej. Tom ntej no, cia saib seb cov ntaub ntawv twg muaj nyob hauv lub khw tseem ceeb.

Cov ntaub ntawv tseem ceeb muaj cov hauv qab no:

  • key id - tus cim tseem ceeb, piv txwv li:
    INNODBKey-764d382a-7324-11e9-ad8f-9cb6d0d5dc99-1
  • yam tseem ceeb - hom tseem ceeb raws li encryption algorithm siv, qhov muaj peev xwm ua tau: "AES", "RSA" lossis "DSA".
  • qhov tseem ceeb ntev - qhov ntev ntawm cov bytes, AES: 16, 24 lossis 32, RSA 128, 256, 512 thiab DSA 128, 256 lossis 384.
  • cov neeg siv - tus tswv ntawm tus yuam sij. Yog hais tias tus yuam sij yog system, piv txwv li, Master Key, ces daim teb no yog khoob. Yog tias tus yuam sij raug tsim siv keyring_udf, ces daim teb no qhia tus tswv ntawm tus yuam sij.
  • tus yuam sij nws tus kheej

Tus yuam sij yog cim tshwj xeeb los ntawm khub: key_id, neeg siv.

Kuj tseem muaj qhov sib txawv hauv kev khaws cia thiab rho tawm cov yuam sij.

Cov ntaub ntawv khaws cia sai dua. Tej zaum koj yuav xav tias lub khw tseem ceeb tsuas yog sau tus yuam sij rau ib daim ntawv ib zaug, tab sis tsis yog, muaj ntau ntxiv ntawm no. Thaum twg ib qho kev hloov kho cov ntaub ntawv raug tsim, ib daim ntawv luam theej ntawm tag nrho cov ntsiab lus yog thawj zaug. Wb hais tias cov ntaub ntawv hu ua my_biggest_secrets, ces daim ntawv thaub qab yuav yog my_biggest_secrets.backup. Tom ntej no, lub cache hloov pauv (cov yuam sij ntxiv lossis tshem tawm) thiab, yog tias txhua yam ua tiav, lub cache tau rov pib dua rau cov ntaub ntawv. Muaj tsawg zaus, xws li server tsis ua haujlwm, koj tuaj yeem pom cov ntaub ntawv thaub qab no. Cov ntaub ntawv thaub qab raug muab tshem tawm thaum lub sijhawm tom ntej cov yuam sij raug thauj khoom (feem ntau tom qab lub server rov pib dua).

Thaum txuag lossis rho tawm tus yuam sij hauv lub server cia, qhov chaw cia yuav tsum txuas mus rau MySQL server nrog cov lus txib "xa tus yuam sij" / "thov kom tshem tawm qhov tseem ceeb".

Cia peb rov qab mus rau server startup ceev. Ntxiv nrog rau qhov tseeb tias qhov kev tso tawm ceev yog cuam tshuam los ntawm lub vault nws tus kheej, kuj tseem muaj qhov teeb meem ntawm pes tsawg tus yuam sij ntawm lub vault yuav tsum tau muab rov qab thaum pib. Tau kawg, qhov no yog qhov tshwj xeeb tshaj yog rau cov neeg rau zaub mov cia. Thaum pib, tus neeg rau zaub mov xyuas seb tus yuam sij twg yog qhov yuav tsum tau muaj rau cov ntxhuav / rooj sib tham thiab thov tus yuam sij los ntawm kev cia. Ntawm lub server "huv" nrog Master Key encryption, yuav tsum muaj ib tus Master Key, uas yuav tsum tau muab los ntawm kev khaws cia. Txawm li cas los xij, ntau tus yuam sij yuav xav tau, piv txwv li, thaum tus neeg rau zaub mov thaub qab rov qab kho qhov thaub qab los ntawm thawj tus neeg rau zaub mov. Hauv cov xwm txheej zoo li no, kev sib hloov ntawm Master Key yuav tsum tau muab. Qhov no yuav hais txog ntau yam ntxiv hauv cov ntawv yav tom ntej, txawm hais tias ntawm no kuv xav kom nco ntsoov tias tus neeg rau zaub mov siv ntau yam Master Keys yuav siv sij hawm ntev dua los pib, tshwj xeeb tshaj yog thaum siv lub server-sab tseem ceeb khw.

Tam sim no cia peb tham me ntsis ntxiv txog keyring_file. Thaum kuv tab tom tsim keyring_file, kuv kuj tau txhawj xeeb txog yuav ua li cas kuaj xyuas keyring_file hloov thaum lub server tab tom khiav. Hauv 5.7, daim tshev tau ua raws li cov ntaub ntawv txheeb cais, uas tsis yog qhov kev daws teeb meem zoo tshaj plaws, thiab hauv 8.0 nws tau hloov nrog SHA256 checksum.

Thawj zaug koj khiav keyring_file, cov ntaub ntawv txheeb cais thiab cov ntawv txheeb xyuas raug suav, uas tau nco qab los ntawm cov neeg rau zaub mov, thiab cov kev hloov pauv tsuas yog siv yog tias lawv sib phim. Thaum cov ntaub ntawv hloov pauv, lub checksum tau hloov kho.

Peb twb tau teb ntau cov lus nug txog cov vaults tseem ceeb. Txawm li cas los xij, muaj lwm lub ntsiab lus tseem ceeb uas feem ntau tsis nco qab lossis nkag siab yuam kev: sib koom cov yuam sij thoob plaws servers.

Kuv txhais li cas? Txhua tus neeg rau zaub mov (piv txwv li, Percona Server) hauv pawg yuav tsum muaj qhov chaw sib cais ntawm Vault Server uas Percona Server yuav tsum khaws nws cov yuam sij. Txhua tus Master Key tau khaws cia hauv qhov chaw khaws cia muaj GUID ntawm Percona Server hauv nws tus lej. Vim li cas thiaj tseem ceeb? Xav txog tias koj tsuas muaj ib lub Vault Server thiab tag nrho Percona Servers hauv pawg siv tus Vault Server nkaus xwb. Qhov teeb meem zoo li pom tseeb. Yog tias txhua tus Percona Servers siv Master Key yam tsis muaj tus cim tshwj xeeb, xws li id ​​= 1, id = 2, thiab lwm yam, ces txhua tus servers hauv pawg yuav siv tib Master Key. Dab tsi GUID muab yog qhov sib txawv ntawm cov servers. Vim li cas ho tham txog kev sib koom cov yuam sij ntawm servers yog tias muaj GUID tshwj xeeb lawm? Muaj lwm plugin - keyring_udf. Nrog rau qhov plugin no, koj tus neeg siv khoom siv tuaj yeem khaws lawv cov yuam sij ntawm Vault server. Qhov teeb meem tshwm sim thaum tus neeg siv tsim tus yuam sij ntawm server1, piv txwv li, thiab tom qab ntawd sim tsim tus yuam sij nrog tib ID ntawm server2, piv txwv li:

--server1:
select keyring_key_store('ROB_1','AES',"123456789012345");
1
--1 Π·Π½Π°Ρ‡ΠΈΡ‚ ΡƒΡΠΏΠ΅ΡˆΠ½ΠΎΠ΅ Π·Π°Π²Π΅Ρ€ΡˆΠ΅Π½ΠΈΠ΅
--server2:
select keyring_key_store('ROB_1','AES',"543210987654321");
1

Tos. Ob lub servers siv tib lub Vault Server, yuav tsum tsis yog keyring_key_store ua haujlwm tsis ua haujlwm ntawm server2? Interestingly, yog tias koj sim ua tib yam ntawm ib lub server, koj yuav tau txais qhov yuam kev:

--server1:
select keyring_key_store('ROB_1','AES',"123456789012345");
1
select keyring_key_store('ROB_1','AES',"543210987654321");
0

Yog lawm, ROB_1 twb muaj lawm.

Cia peb tham txog tus piv txwv thib ob ua ntej. Raws li peb tau hais ua ntej lawm, keyring_vault lossis lwm yam keyring plugin caches tag nrho cov ID tseem ceeb hauv nco. Yog li, tom qab tsim tus yuam sij tshiab, ROB_1 tau ntxiv rau server1, thiab ntxiv rau kev xa tus yuam sij no mus rau Vault, tus yuam sij tseem ntxiv rau lub cache. Tam sim no, thaum peb sim ntxiv tib tus yuam sij thib ob, keyring_vault xyuas seb tus yuam sij puas muaj nyob hauv cache thiab cuam tshuam qhov yuam kev.

Thawj qhov xwm txheej txawv. Server1 thiab server2 muaj cais caches. Tom qab ntxiv ROB_1 rau qhov tseem ceeb cache ntawm server1 thiab Vault server, qhov tseem ceeb cache ntawm server2 yog tsis sib xws. Tsis muaj tus yuam sij ROB_2 hauv cache ntawm server1. Yog li, tus yuam sij ROB_1 tau sau rau keyring_key_store thiab rau Vault server, uas ua tau overwrites (!) tus nqi dhau los. Tam sim no tus yuam sij ROB_1 ntawm Vault server yog 543210987654321. Interestingly, Vault server tsis thaiv cov kev ua no thiab yooj yim overwrites tus nqi qub.

Tam sim no peb tuaj yeem pom tias vim li cas server faib hauv Vault tuaj yeem yog qhov tseem ceeb - thaum koj siv keyring_udf thiab xav khaws cov yuam sij hauv Vault. Yuav ua li cas thiaj ua tiav qhov kev sib cais ntawm Vault server?

Muaj ob txoj hauv kev los faib rau hauv Vault. Koj tuaj yeem tsim cov ntsiab lus sib txawv rau txhua tus neeg rau zaub mov, lossis siv txoj hauv kev sib txawv hauv tib lub mount point. Qhov no yog qhov zoo tshaj plaws piav qhia nrog cov piv txwv. Yog li cia peb saib ntawm tus kheej cov ntsiab lus mount ua ntej: 

--server1:
vault_url = http://127.0.0.1:8200
secret_mount_point = server1_mount
token = (...)
vault_ca = (...)

--server2:
vault_url = http://127.0.0.1:8200
secret_mount_point = sever2_mount
token = (...)
vault_ca = (...)

Ntawm no koj tuaj yeem pom tias server1 thiab server2 siv cov ntsiab lus sib txawv. Thaum splitting txoj kev, lub configuration yuav zoo li no:

--server1:
vault_url = http://127.0.0.1:8200
secret_mount_point = mount_point/server1
token = (...)
vault_ca = (...)
--server2:
vault_url = http://127.0.0.1:8200
secret_mount_point = mount_point/sever2
token = (...)
vault_ca = (...)

Hauv qhov no, ob lub servers siv tib lub mount point "mount_point", tab sis txoj kev sib txawv. Thaum koj tsim thawj qhov zais cia ntawm server1 siv txoj hauv kev no, Vault server cia li tsim "server1" directory. Rau server2 txhua yam zoo ib yam. Thaum koj rho tawm qhov zais cia kawg hauv mount_point/server1 lossis mount_point/server2, Vault server kuj tshem tawm cov npe. Nyob rau hauv rooj plaub uas koj siv txoj kev sib cais, koj yuav tsum tsim tsuas yog ib qho mount point thiab hloov cov ntaub ntawv configuration kom cov servers siv nyias txoj kev. Lub mount point tuaj yeem tsim tau siv HTTP thov. Siv CURL qhov no tuaj yeem ua tau zoo li no:

curl -L -H "X-Vault-Token: TOKEN" –cacert VAULT_CA
--data '{"type":"generic"}' --request POST VAULT_URL/v1/sys/mounts/SECRET_MOUNT_POINT

Txhua qhov chaw (TOKEN, VAULT_CA, VAULT_URL, SECRET_MOUNT_POINT) sib raug rau qhov tsis muaj ntawm cov ntaub ntawv teeb tsa. Tau kawg, koj tuaj yeem siv cov khoom siv Vault los ua ib yam. Tab sis nws yooj yim dua rau automate lub creation ntawm ib tug mount point. Kuv vam tias koj yuav pom cov ntaub ntawv no muaj txiaj ntsig thiab peb yuav pom koj hauv cov ntawv txuas ntxiv hauv cov kab no.

Encryption hauv MySQL: Keystore

Nyeem ntxiv:

Tau qhov twg los: www.hab.com

Ntxiv ib saib