Encryption muMySQL: Keystore

Mukutarisira kutanga kwekunyoresa kutsva kwekosi "Database" Takagadzirira shanduro yezvinyorwa zvinobatsira kwauri.

Transparent Data Encryption (TDE) yakaonekwa mukati Percona Server yeMySQL uye MySQL kwenguva yakati rebei. Asi wakambofunga here nezve kuti inoshanda sei pasi pehodhi uye kuti TDE inogona kuita sei pane server yako? Mune ino nhevedzano yezvinyorwa tichatarisa kuti TDE inoshanda sei mukati. Ngatitangei nekiyi yekuchengetedza, sezvo izvi zvichidikanwa kuti chero encryption ishande. Zvadaro tichanyatsotarisisa kuti encryption inoshanda sei muPercona Server yeMySQL/MySQL uye kuti ndeapi mamwe maficha Percona Server yeMySQL ine.

MySQL Keyring

Keyring ma plugins anobvumira sevha kubvunza, kugadzira, uye kudzima makiyi mufaira renzvimbo (keyring_file) kana pane iri kure server (yakadai seHashiCorp Vault). Makiyi anogara akavharirwa munharaunda kuti akurumidze kutora.

Plugins inogona kukamurwa muzvikamu zviviri:

• Nzvimbo yekuchengetedza. Semuenzaniso, faira remunharaunda (isu tinodaidza iyi faira-based keyring).
• Remote storage. Semuenzaniso, Vault Server (isu tinodaidza iyi sevha-yakavakirwa keyring).

Kuparadzaniswa uku kwakakosha nekuti mhando dzakasiyana dzekuchengetedza dzinoita zvakasiyana, kwete chete kana uchichengeta uye uchidzora makiyi, asiwo kana uchiamhanyisa.

Paunenge uchishandisa faira rekuchengetedza, paunotanga, zvese zviri mukati mekuchengetedza zvinoiswa mucache: kiyi id, kiyi mushandisi, kiyi mhando, uye kiyi pachayo.

Kana iri sevha-padivi chitoro (saVault Server), chete kiyi id uye kiyi mushandisi inoremerwa pakutanga, saka kuwana makiyi ese hakunonoke kutanga. Makiyi anotakurwa nehusimbe. Ndiko kuti, kiyi pachayo inotakurwa kubva kuVault chete kana ichinyatso kudiwa. Kana yangodhawunirodha, kiyi inochengeterwa mundangariro kuitira kuti haidi kuwanikwa kuburikidza neTLS yekubatanidza kuVault Server mune ramangwana. Tevere, ngatitarisei kuti ndeupi ruzivo rwuripo muchitoro kiyi.

Ruzivo rwakakosha rune zvinotevera:

• key id - key identifier, semuenzaniso:
  INNODBKey-764d382a-7324-11e9-ad8f-9cb6d0d5dc99-1
• kiyi mhando - kiyi mhando yakavakirwa pane encryption algorithm yakashandiswa, inogoneka kukosha: "AES", "RSA" kana "DSA".
• kureba kwekiyi - kiyi kureba mumabhaiti, AES: 16, 24 kana 32, RSA 128, 256, 512 uye DSA 128, 256 kana 384.
• mushandisi - muridzi wekiyi. Kana kiyi iri system, semuenzaniso, Master Key, saka munda uyu hauna chinhu. Kana kiyi yagadzirwa uchishandisa keyring_udf, ipapo ndima iyi inoratidza muridzi wekiyi.
• kiyi pachayo

Kiyi inoratidzwa zvakasiyana nevaviri: key_id, mushandisi.

Panewo misiyano mukuchengetedza nekudzima makiyi.

Kuchengeta faira kunokurumidza. Unogona kufunga kuti chitoro kiyi chiri kungonyora kiyi yefaira kamwe chete, asi kwete, pane zvimwe zviri kuitika pano. Pese panogadziriswa faira rekuchengetedza, kopi yekuchengetedza yezvese zvirimo inotanga kugadzirwa. Ngatitii iyo faira inonzi my_biggest_secrets, ipapo kopi yekuchengetedza ichave my_biggest_secrets.backup. Zvadaro, cache inochinjwa (makiyi akawedzerwa kana kubviswa) uye, kana zvose zvikabudirira, cache inodzorerwa kufaira. Muzviitiko zvisingawanzo, sekutadza kweserver, unogona kuona iyi backup file. Iyo faira yekuchengetedza inodzimwa nguva inotevera kana makiyi atakurwa (kazhinji mushure mekunge sevha yatangwazve).

Paunenge uchichengetedza kana kudzima kiyi mudura rekuchengetedza, chengetedzo inofanirwa kubatana neMySQL server nemirairo "tumira kiyi" / "kukumbira kudzima kiyi".

Ngatidzokei kune server yekutanga kumhanya. Pamusoro pekuti iyo yekumhanyisa yekumhanyisa inobatwa nevhavha pachayo, pane zvakare nyaya yekuti makiyi mangani kubva muvhavha anoda kudzoserwa pakutanga. Ehe, izvi zvinonyanya kukosha kune server kuchengetedza. Pakutanga, sevha inotarisa kuti ndeipi kiyi inodiwa kune yakavharidzirwa matafura / nzvimbo dzetafura uye inokumbira kiyi kubva pakuchengetera. Pane "yakachena" sevha ine Master Key encryption, panofanira kunge paine Master Key, iyo inofanirwa kutorwa kubva mudura. Nekudaro, nhamba yakakura yemakiyi inogona kudikanwa, semuenzaniso, kana sevha yekuchengetedza iri kudzoreredza backup kubva kune yekutanga server. Mumamiriro ezvinhu akadaro, kutenderera kweMaster Key kunofanirwa kupihwa. Izvi zvichafukidzwa zvakadzama muzvinyorwa zvinotevera, kunyangwe pano ndinoda kuona kuti sevha inoshandisa akawanda Master Keys inogona kutora nguva yakati rebei kutanga, kunyanya kana uchishandisa server-side kiyi chitoro.

Zvino ngatitaure zvishoma nezve keyring_file. Pandakanga ndichigadzira keyring_file, ndainetsekawo nezvekuti ndingatarise sei keyring_file shanduko sevha iri kushanda. Muna 5.7, cheki yakaitwa zvichienderana nehuwandu hwefaira, iyo yakanga isiri mhinduro yakanaka, uye muna 8.0 yakatsiviwa neSHA256 checksum.

Kekutanga nguva yaunomhanyisa keyring_file, nhamba dzefaira uye cheki inoverengerwa, iyo inorangarirwa neseva, uye shanduko dzinoshandiswa chete kana dzichienderana. Kana iyo faira yachinja, cheki inovandudzwa.

Takatovhara mibvunzo yakawanda pamusoro pemavhavha makuru. Nekudaro, pane imwe nyaya yakakosha inowanzo kukanganwika kana kusanzwisiswa: kugovera makiyi pamaseva.

Ndinorevei? Sevha yega yega (semuenzaniso, Percona Server) musumbu inofanirwa kuve nenzvimbo yakaparadzana paVault Server umo Percona Server inofanirwa kuchengeta makiyi ayo. Imwe neimwe Master Kiyi yakachengetwa mudura ine GUID yePercona Server mukati meidentifier yayo. Nei zvichikosha? Fungidzira kuti iwe unongova neVault Server imwe chete uye ese maPercona Server musumbu shandisa iyo imwechete Vault Server. Dambudziko racho rinoita sezviri pachena. Kana ese maPercona Servers akashandisa Master Key pasina zviziviso zvakasiyana, senge id = 1, id = 2, zvichingodaro, ipapo maseva ese ari musumbu aizoshandisa imwechete Master Key. Izvo zvinopihwa neGUID ndiwo mutsauko pakati pemaseva. Sei uchitaura nezvekugovana makiyi pakati pemaseva kana yakasarudzika GUID yatovepo? Pane imwe plugin - keyring_udf. Neiyi plugin, yako server mushandisi anogona kuchengeta makiyi avo paVault server. Dambudziko rinoitika kana mushandisi akagadzira kiyi pane server1, semuenzaniso, uye oedza kugadzira kiyi ine imwechete ID pane server2, semuenzaniso:

--server1:
select keyring_key_store('ROB_1','AES',"123456789012345");
1
--1 значит успешное завершение
--server2:
select keyring_key_store('ROB_1','AES',"543210987654321");
1

Mira. Masevha ese ari maviri ari kushandisa imwechete Vault Server, iyo keyring_key_store basa haifanire kukundikana pane server2? Sezvineiwo, kana ukaedza kuita zvakafanana pane imwe server, iwe unogashira kukanganisa:

--server1:
select keyring_key_store('ROB_1','AES',"123456789012345");
1
select keyring_key_store('ROB_1','AES',"543210987654321");
0

Ndizvozvo, ROB_1 yatovapo.

Ngatikurukurei muenzaniso wechipiri kutanga. Sezvatakambotaura, keyring_vault kana chero imwe keyring plugin inochengeta makiyi ID ese mundangariro. Saka, mushure mekugadzira kiyi nyowani, ROB_1 inowedzerwa kune server1, uye pamusoro pekutumira kiyi iyi kuVault, kiyi inowedzerwawo kune cache. Zvino, patinoyedza kuwedzera kiyi imwechete kechipiri, keyring_vault inotarisa kana kiyi iripo mu cache uye inokanda chikanganiso.

Muchiitiko chekutanga mamiriro acho akasiyana. Server1 uye server2 vane cache dzakasiyana. Mushure mekuwedzera ROB_1 kune kiyi cache pane server1 uye Vault server, kiyi cache pane server2 haina kuwiriraniswa. Iko hakuna ROB_2 kiyi mu cache pane server1. Saka, ROB_1 kiyi yakanyorerwa keyring_key_store uye kune Vault server, iyo inonyora pamusoro (!) kukosha kwekare. Iye zvino ROB_1 kiyi paVault server ndeye 543210987654321. Zvinofadza kuti Vault server haivharidzi zviito zvakadaro uye inonyora nyore kukosha kwekare.

Iye zvino isu tave kuona kuti sei server partitioning muVault inogona kukosha - kana iwe uri kushandisa keyring_udf uye uchida kuchengeta makiyi muVault. Maitiro ekuzadzisa kupatsanurwa uku pane Vault server?

Pane nzira mbiri dzekuparadzanisa muVault. Iwe unogona kugadzira akasiyana mapoinzi epasevha yega yega, kana kushandisa nzira dzakasiyana mukati meiyo mount point. Izvi zvinonyatso kuratidzwa nemienzaniso. Saka ngatitarisei kune ega ega mapoinzi kutanga:

--server1:
vault_url = http://127.0.0.1:8200
secret_mount_point = server1_mount
token = (...)
vault_ca = (...)

--server2:
vault_url = http://127.0.0.1:8200
secret_mount_point = sever2_mount
token = (...)
vault_ca = (...)

Pano iwe unogona kuona kuti server1 uye server2 vari kushandisa akasiyana mapoinzi. Pakutsemura nzira, iyo gadziriso ichaita seizvi:

--server1:
vault_url = http://127.0.0.1:8200
secret_mount_point = mount_point/server1
token = (...)
vault_ca = (...)
--server2:
vault_url = http://127.0.0.1:8200
secret_mount_point = mount_point/sever2
token = (...)
vault_ca = (...)

Muchiitiko ichi, maseva ese ari maviri anoshandisa iyo yakafanana gomo poindi "mount_point", asi nzira dzakasiyana. Paunogadzira chakavanzika chekutanga pane server1 uchishandisa iyi nzira, iyo Vault server inogadzira otomatiki "server1" dhairekitori. Kune server2 zvese zvakafanana. Paunodzima chakavanzika chekupedzisira mu mount_point/server1 kana mount_point/server2, iyo Vault server inobvisawo iwo madhairekitori. Kana iwe ukashandisa kupatsanura nzira, iwe unofanirwa kugadzira imwe chete yekumisikidza poindi uye shandura mafaera ekugadzirisa kuitira kuti maseva ashandise nzira dzakasiyana. Nzvimbo yekukwirisa inogona kugadzirwa uchishandisa chikumbiro cheHTTP. Uchishandisa CURL izvi zvinogona kuitwa seizvi:

curl -L -H "X-Vault-Token: TOKEN" –cacert VAULT_CA
--data '{"type":"generic"}' --request POST VAULT_URL/v1/sys/mounts/SECRET_MOUNT_POINT

Nzvimbo dzese (TOKEN, VAULT_CA, VAULT_URL, SECRET_MOUNT_POINT) dzinoenderana nemamiriro efaira rekugadzirisa. Ehe, iwe unogona kushandisa Vault zvishandiso kuita zvakafanana. Asi zviri nyore kuita otomatiki kusikwa kwenzvimbo yekukwira. Ndinovimba iwe unowana ruzivo urwu runobatsira uye tichakuona muzvinyorwa zvinotevera mune ino nhevedzano.

Verenga zvimwe:

• Sysbench uye kugoverwa kwezvakasiyana zvakasiyana

Source: www.habr.com