æ°èŠã³ãŒã¹ã®åééå§ã«åããŠ
ééçããŒã¿æå·å (TDE) ã¯ã
MySQL ããŒãªã³ã°
ããŒãªã³ã°ã¯ããµãŒããŒãããŒã«ã« ãã¡ã€ã« (keyring_file) ãŸãã¯ãªã¢ãŒã ãµãŒã㌠(HashiCorp Vault ãªã©) äžã®ããŒãã¯ãšãªãäœæãåé€ã§ããããã«ãããã©ã°ã€ã³ã§ãã ããŒã¯ãååŸãé«éåããããã«åžžã«ããŒã«ã«ã«ãã£ãã·ã¥ãããŸãã
ãã©ã°ã€ã³ã¯ XNUMX ã€ã®ã«ããŽãªã«åé¡ã§ããŸãã
- ããŒã«ã«ã¹ãã¬ãŒãžã ããšãã°ãããŒã«ã« ãã¡ã€ã« (ããããã¡ã€ã«ããŒã¹ã®ããŒãªã³ã°ãšåŒã³ãŸã)ã
- ãªã¢ãŒãã¹ãã¬ãŒãžã ããšãã°ãVault Server (ããããµãŒããŒããŒã¹ã®ããŒãªã³ã°ãšåŒã³ãŸã)ã
ããŒã®ä¿ç®¡æãšååŸæã ãã§ãªããããŒã®å®è¡æããã¹ãã¬ãŒãžã®ã¿ã€ããç°ãªããšåäœãè¥å¹²ç°ãªãããããã®åé¢ã¯éèŠã§ãã
ãã¡ã€ã« ã¹ãã¬ãŒãžã䜿çšããå Žåãèµ·åæã«ãã¹ãã¬ãŒãžã®å å®¹å šäœ (ã㌠IDãã㌠ãŠãŒã¶ãŒãã㌠ã¿ã€ããããŒèªäœ) ããã£ãã·ã¥ã«ããŒããããŸãã
ãµãŒããŒããŒã¹ã®ã¹ã㢠(Vault Server ãªã©) ã®å Žåãèµ·åæã«ã㌠ID ãšã㌠ãŠãŒã¶ãŒã®ã¿ãããŒããããããããã¹ãŠã®ããŒãååŸããŠãèµ·åãé ããªãããã§ã¯ãããŸããã ããŒã¯é 延ããŠããŒããããŸãã ã€ãŸããããŒèªäœã¯ãå®éã«å¿ èŠãªå Žåã«ã®ã¿ Vault ããããŒããããŸãã ããŠã³ããŒããããããŒã¯ã¡ã¢ãªã«ãã£ãã·ã¥ããããããä»åŸ Vault ãµãŒããŒãžã® TLS æ¥ç¶ãéããŠã¢ã¯ã»ã¹ããå¿ èŠã¯ãããŸããã 次ã«ãã㌠ã¹ãã¢ã«ã©ã®ãããªæ å ±ãååšããããèŠãŠã¿ãŸãããã
éèŠãªæ å ±ã«ã¯æ¬¡ã®ãã®ãå«ãŸããŸãã
- ããŒID â ããŒèå¥åãäŸ:
INNODBKey-764d382a-7324-11e9-ad8f-9cb6d0d5dc99-1
- ããŒã¿ã€ã â 䜿çšãããæå·åã¢ã«ãŽãªãºã ã«åºã¥ãããŒã®ã¿ã€ããå¯èœãªå€: ãAESãããRSAãããŸãã¯ãDSAãã
- ããŒã®é·ã â ããŒã®é·ã (ãã€ãåäœ)ãAES: 16ã24 ãŸã㯠32ãRSA 128ã256ã512ãããã³ DSA 128ã256 ãŸã㯠384ã
- user - ããŒã®ææè ã ããŒãã·ã¹ãã (ãã¹ã¿ãŒ ããŒãªã©) ã®å Žåããã®ãã£ãŒã«ãã¯ç©ºã§ãã keyring_udf ã䜿çšããŠããŒãäœæãããå Žåããã®ãã£ãŒã«ãã¯ããŒã®ææè ãèå¥ããŸãã
- éµãã®ãã®
ããŒã¯ãkey_idãuser ã®ãã¢ã«ãã£ãŠäžæã«èå¥ãããŸãã
ããŒã®ä¿åãšåé€ã«ãéãããããŸãã
ãã¡ã€ã«ã¹ãã¬ãŒãžãé«éã«ãªããŸãã ã㌠ã¹ãã¢ã¯ããŒããã¡ã€ã«ã« XNUMX åæžã蟌ãã ãã ãšæãââãããããŸããããããã§ã¯ãããŸãããããã§ã¯ããã«å€ãã®åŠçãè¡ãããŸãã ãã¡ã€ã« ã¹ãã¬ãŒãžã®å€æŽãè¡ããããã³ã«ãæåã«ãã¹ãŠã®ã³ã³ãã³ãã®ããã¯ã¢ãã ã³ããŒãäœæãããŸãã ãã¡ã€ã«ã®ååã my_biggest_secrets ã ãšãããšãããã¯ã¢ãã ã³ããŒã¯ my_biggest_secrets.backup ã«ãªããŸãã 次ã«ããã£ãã·ã¥ãå€æŽãã (ããŒãè¿œå ãŸãã¯åé€ãã)ããã¹ãŠãæåãããšããã£ãã·ã¥ããã¡ã€ã«ã«ãªã»ãããããŸãã ãµãŒããŒé害ãªã©ã®ãŸããªã±ãŒã¹ã§ã¯ããã®ããã¯ã¢ãã ãã¡ã€ã«ã衚瀺ãããããšããããŸãã ããã¯ã¢ãã ãã¡ã€ã«ã¯ã次åããŒãããŒãããããšã (éåžžã¯ãµãŒããŒã®åèµ·ååŸ) ã«åé€ãããŸãã
ãµãŒããŒã¹ãã¬ãŒãžã«ããŒãä¿åãŸãã¯åé€ããå Žåãã¹ãã¬ãŒãžã¯ãããŒã®éä¿¡ã/ãããŒã®åé€ã®ãªã¯ãšã¹ããã³ãã³ãã䜿çšã㊠MySQL ãµãŒããŒã«æ¥ç¶ããå¿ èŠããããŸãã
ãµãŒããŒã®èµ·åé床ã«æ»ããŸãããã èµ·åé床ãããŒã«ãèªäœã®åœ±é¿ãåãããšããäºå®ã«å ããŠãèµ·åæã«ããŒã«ãããã©ãã ãã®ããŒãååŸããå¿ èŠãããããšããåé¡ããããŸãã ãã¡ãããããã¯ãµãŒã㌠ã¹ãã¬ãŒãžã«ãšã£ãŠç¹ã«éèŠã§ãã èµ·åæã«ããµãŒããŒã¯æå·åãããããŒãã«/ããŒãã«ã¹ããŒã¹ã«å¿ èŠãªããŒã確èªããã¹ãã¬ãŒãžã«ããŒãèŠæ±ããŸãã ãã¹ã¿ãŒ ããŒæå·åãåãããã¯ãªãŒã³ãªããµãŒããŒã«ã¯ãã¹ãã¬ãŒãžããååŸããå¿ èŠããããã¹ã¿ãŒ ããŒã XNUMX ã€ååšããå¿ èŠããããŸãã ãã ããããã¯ã¢ãã ãµãŒããŒããã©ã€ã㪠ãµãŒããŒããããã¯ã¢ããã埩å ããå Žåãªã©ãããå€ãã®ããŒãå¿ èŠã«ãªãå ŽåããããŸãã ãã®ãããªå Žåããã¹ã¿ãŒããŒã®ããŒããŒã·ã§ã³ãæäŸããå¿ èŠããããŸãã ããã«ã€ããŠã¯ä»åŸã®èšäºã§è©³ãã説æããŸãããããã§ã¯ãè€æ°ã®ãã¹ã¿ãŒ ããŒã䜿çšãããµãŒããŒãç¹ã«ãµãŒããŒåŽã®ã㌠ã¹ãã¢ã䜿çšããå Žåãèµ·åã«å°ãæéããããå¯èœæ§ãããããšã«æ³šæããŠãã ããã
ããã§ãkeyring_file ã«ã€ããŠããå°ã詳ãã説æããŸãããã keyring_file ãéçºããŠãããšãããµãŒããŒã®å®è¡äžã« keyring_file ã®å€æŽã確èªããæ¹æ³ã«ã€ããŠãæžå¿µããŠããŸããã 5.7 ã§ã¯ããã§ãã¯ã¯ãã¡ã€ã«çµ±èšã«åºã¥ããŠå®è¡ãããŸããããããã¯çæ³çãªãœãªã¥ãŒã·ã§ã³ã§ã¯ãããŸããã§ããã8.0 ã§ã¯ãSHA256 ãã§ãã¯ãµã ã«çœ®ãæããããŸããã
åã㊠keyring_file ãå®è¡ãããšããã¡ã€ã«çµ±èšãšãã§ãã¯ãµã ãèšç®ããããµãŒããŒã«èšæ¶ãããå€æŽã¯äžèŽããå Žåã«ã®ã¿é©çšãããŸãã ãã¡ã€ã«ãå€æŽããããšããã§ãã¯ãµã ãæŽæ°ãããŸãã
Key Vault ã«é¢ããå€ãã®è³ªåã«ã€ããŠã¯ãã§ã«èª¬æããŸããã ãã ããå¿ããããã誀解ããããããã¡ãªãã XNUMX ã€ã®éèŠãªãããã¯ããããŸããããã¯ããµãŒããŒéã§ã®ããŒã®å ±æã§ãã
ç§ãæå³ããã®ã¯ïŒ ã¯ã©ã¹ã¿å ã®åãµãŒã㌠(Percona ãµãŒããŒãªã©) ã¯ãPercona ãµãŒããŒããã®ããŒãä¿åããå¿ èŠããã Vault ãµãŒããŒäžã«åå¥ã®å Žæãæã£ãŠããå¿ èŠããããŸãã ã¹ãã¬ãŒãžã«ä¿åãããåãã¹ã¿ãŒ ããŒã«ã¯ããã®èå¥åã®äžã« Percona ãµãŒããŒã® GUID ãå«ãŸããŠããŸãã ã©ãããŠãããéèŠã§ããïŒ Vault ãµãŒããŒã 1 ã€ã ããããã¯ã©ã¹ã¿å ã®ãã¹ãŠã® Percona ãµãŒããŒããã® 2 ã€ã® Vault ãµãŒããŒã䜿çšããŠãããšæ³åããŠãã ããã åé¡ã¯æããã®ããã§ãã ãã¹ãŠã® Percona ãµãŒããŒããid = 1ãid = 2 ãªã©ã®äžæã®èå¥åã®ãªããã¹ã¿ãŒ ããŒã䜿çšããå Žåãã¯ã©ã¹ã¿ãŒå ã®ãã¹ãŠã®ãµãŒããŒã¯åããã¹ã¿ãŒ ããŒã䜿çšããŸãã GUID ã«ãã£ãŠæäŸãããã®ã¯ããµãŒããŒéã®åºå¥ã§ãã äžæã® GUID ããã§ã«ååšããå ŽåããªããµãŒããŒéã§ããŒãå ±æããããšã«ã€ããŠè©±ãã®ã§ãããã? å¥ã®ãã©ã°ã€ã³ - keyring_udf ããããŸãã ãã®ãã©ã°ã€ã³ã䜿çšãããšããµãŒã㌠ãŠãŒã¶ãŒã¯èªåã®ããŒã Vault ãµãŒããŒã«ä¿åã§ããŸãã ãã®åé¡ã¯ããŠãŒã¶ãŒããµãŒã㌠XNUMX ã§ããŒãäœæãã次ã«ãµãŒã㌠XNUMX ã§åã ID ã®ããŒãäœæããããšãããšçºçããŸãã次ã«äŸã瀺ããŸãã
--server1:
select keyring_key_store('ROB_1','AES',"123456789012345");
1
--1 зМаÑÐžÑ ÑÑпеÑМПе завеÑÑеМОе
--server2:
select keyring_key_store('ROB_1','AES',"543210987654321");
1
åŸ ã£ãŠã äž¡æ¹ã®ãµãŒããŒãåã Vault ãµãŒããŒã䜿çšããŠããŸããserver2 㧠keyring_key_store é¢æ°ã倱æããã¯ãã¯ãããŸããã? èå³æ·±ãããšã«ãXNUMX ã€ã®ãµãŒããŒã§åãããšãå®è¡ããããšãããšããšã©ãŒãçºçããŸãã
--server1:
select keyring_key_store('ROB_1','AES',"123456789012345");
1
select keyring_key_store('ROB_1','AES',"543210987654321");
0
ããã§ããROB_1 ã¯ãã§ã«ååšããŸãã
ãŸã 1 çªç®ã®äŸã«ã€ããŠèª¬æããŸãã åã«è¿°ã¹ãããã«ãkeyring_vault ãŸãã¯ãã®ä»ã®ããŒãªã³ã° ãã©ã°ã€ã³ã¯ããã¹ãŠã®ã㌠ID ãã¡ã¢ãªã«ãã£ãã·ã¥ããŸãã ãããã£ãŠãæ°ããããŒãäœæããåŸãROB_1 ãserverXNUMX ã«è¿œå ããããã®ããŒã Vault ã«éä¿¡ãããã ãã§ãªãããã£ãã·ã¥ã«ãè¿œå ãããŸãã ããã§ãåãããŒãããäžåºŠè¿œå ããããšãããšãkeyring_vault ã¯ããŒããã£ãã·ã¥ã«ååšãããã©ããã確èªãããšã©ãŒãã¹ããŒããŸãã
æåã®ã±ãŒã¹ã§ã¯ç¶æ³ãç°ãªããŸãã Server1 ãš Server2 ã«ã¯åå¥ã®ãã£ãã·ã¥ããããŸãã ROB_1 ããµãŒã㌠1 ãš Vault ãµãŒããŒã®ã㌠ãã£ãã·ã¥ã«è¿œå ããåŸããµãŒã㌠2 ã®ã㌠ãã£ãã·ã¥ãåæããªããªããŸãã ãµãŒã㌠2 ã®ãã£ãã·ã¥ã«ã¯ ROB_1 ããŒããããŸããã ãããã£ãŠãROB_1 ããŒã¯ keyring_key_store ãš Vault ãµãŒããŒã«æžã蟌ãŸããå®éã«ã¯åã®å€ãäžæžã (!) ãããŸãã ããã§ãVault ãµãŒããŒäžã® ROB_1 ããŒã¯ 543210987654321 ã«çãããªããŸããèå³æ·±ãããšã«ãVault ãµãŒããŒã¯ãã®ãããªã¢ã¯ã·ã§ã³ããããã¯ãããå€ãå€ãç°¡åã«äžæžãããŸãã
ããã§ãkeyring_udf ã䜿çšããŠããŠããŒã Vault ã«ä¿åãããå Žåã«ãVault ã§ã®ãµãŒããŒã®ããŒãã£ã·ã§ãã³ã°ãéèŠãšãªãçç±ãããããŸããã Vault ãµãŒããŒäžã§ãã®åé¢ãå®çŸããã«ã¯ã©ãããã°ããã§ãããã?
Vault ã«ããŒãã£ã·ã§ã³åå²ããã«ã¯ XNUMX ã€ã®æ¹æ³ããããŸãã ãµãŒããŒããšã«ç°ãªãããŠã³ã ãã€ã³ããäœæããããåãããŠã³ã ãã€ã³ãå ã§ç°ãªããã¹ã䜿çšãããã§ããŸãã ãããäŸã§èª¬æãããšåããããããªããŸãã ããã§ã¯ãæåã«åã ã®ããŠã³ã ãã€ã³ããèŠãŠã¿ãŸãããã
--server1:
vault_url = http://127.0.0.1:8200
secret_mount_point = server1_mount
token = (...)
vault_ca = (...)
--server2:
vault_url = http://127.0.0.1:8200
secret_mount_point = sever2_mount
token = (...)
vault_ca = (...)
ããã§ã¯ãserver1 ãšserver2 ãç°ãªãããŠã³ã ãã€ã³ãã䜿çšããŠããããšãããããŸãã ãã¹ãåå²ãããšãæ§æã¯æ¬¡ã®ããã«ãªããŸãã
--server1:
vault_url = http://127.0.0.1:8200
secret_mount_point = mount_point/server1
token = (...)
vault_ca = (...)
--server2:
vault_url = http://127.0.0.1:8200
secret_mount_point = mount_point/sever2
token = (...)
vault_ca = (...)
ãã®å Žåãäž¡æ¹ã®ãµãŒããŒã¯åãããŠã³ã ãã€ã³ããmount_pointãã䜿çšããŸãããç°ãªããã¹ã䜿çšããŸãã ãã®ãã¹ã䜿çšããŠserver1ã«æåã®ã·ãŒã¯ã¬ãããäœæãããšãVaultãµãŒããŒã¯èªåçã«ãserver1ããã£ã¬ã¯ããªãäœæããŸãã ãµãŒã㌠2 ã®å Žåããã¹ãŠåæ§ã§ãã mount_point/server1 ãŸã㯠mount_point/server2 ã®æåŸã®ã·ãŒã¯ã¬ãããåé€ãããšãVault ãµãŒããŒã¯ãããã®ãã£ã¬ã¯ããªãåé€ããŸãã ãã¹åé¢ã䜿çšããå Žåã¯ãããŠã³ã ãã€ã³ãã XNUMX ã€ã ãäœæãããµãŒããŒãå¥ã ã®ãã¹ã䜿çšããããã«æ§æãã¡ã€ã«ãå€æŽããå¿ èŠããããŸãã ããŠã³ã ãã€ã³ãã¯ãHTTP ãªã¯ãšã¹ãã䜿çšããŠäœæã§ããŸãã CURL ã䜿çšãããšã次ã®ããã«å®è¡ã§ããŸãã
curl -L -H "X-Vault-Token: TOKEN" âcacert VAULT_CA
--data '{"type":"generic"}' --request POST VAULT_URL/v1/sys/mounts/SECRET_MOUNT_POINT
ãã¹ãŠã®ãã£ãŒã«ã (TOKENãVAULT_CAãVAULT_URLãSECRET_MOUNT_POINT) ã¯æ§æãã¡ã€ã«ã®ãã©ã¡ãŒã¿ãŒã«å¯Ÿå¿ããŸãã ãã¡ãããVault ãŠãŒãã£ãªãã£ã䜿çšããŠåãããšãè¡ãããšãã§ããŸãã ãã ããããŠã³ã ãã€ã³ãã®äœæãèªååããæ¹ãç°¡åã§ãã ãã®æ å ±ãã圹ã«ç«ãŠã°å¹žãã§ãããã®ã·ãªãŒãºã®æ¬¡ã®èšäºã§ãäŒãããŸãããã
ç¶ããèªãïŒ
åºæïŒ habr.com