473,289 Members | 1,756 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes and contribute your articles to a community of 473,289 developers and data experts.

Basic Use of the Fully-encrypted Database

1 2Bits
1. Introduction to the Fully-encrypted Database Features
A fully-encrypted database aims to protect privacy throughout the data lifecycle. Data is always encrypted during transmission, computing, and storage regardless of the service scenario or environment. After the data owner encrypts data on the client and sends the encrypted data to the server, even if an attacker manages to exploit some system vulnerability and steal user data, they cannot obtain valuable information. Data privacy is protected.

2. Customer Benefits of the Fully-encrypted Database
The entire service data flow is encrypted during processing. A fully-encrypted database:

Protects data privacy and security throughout the lifecycle on the cloud. Attackers cannot obtain information from the database server regardless of the data status.
Helps cloud service providers earn the trust of third-party users. Users, including service administrators and O&M administrators in enterprise service scenarios and application developers in consumer cloud services, can keep the encryption keys themselves so that even users with high permissions cannot access unencrypted data.
Enables cloud databases to better comply with personal privacy protection laws and regulations.
3. Use of the Fully-encrypted Database
Currently, the fully-encrypted database supports two connection modes: gsql and JDBC. This chapter describes how to use the database in the two connection modes.

3.1 Connecting to a Fully-encrypted Database
Run the gsql -p PORT –d postgres -r –C command to enable the encryption function.
Parameter description:

-p indicates the port number. -d indicates the database name. -C indicates that the encryption function is enabled.

To support JDBC operations on a fully-encrypted database, set enable_ce to 1.
3.2 Creating a User Key
A fully-encrypted database has two types of keys: client master key (CMK) and data encryption key (CEK).

The CMK is used to encrypt the CEK. The CEK is used to encrypt user data.

Before creating a key, use gs_ktool to create a key ID for creating a CMK.

openGauss=# \! gs_ktool -g

The sequence and dependency of creating a key are as follows: creating a key ID > creating a CMK > creating a CEK.

3.2.1 Creating a CMK and a CEK in the GSQL Environment

[Creating a CMK]

CREATE CLIENT MASTER KEY client_master_key_name WITH (KEY_STORE = key_store_name, KEY_PATH = “key_path_value”, ALGORITHM = algorithm_type);

Parameter description:

client_master_key_name
This parameter is used as the name of a key object. In the same namespace, the value of this parameter must be unique.

Value range: a string. It must comply with the naming convention.

KEY_STORE
Tool or service that independently manages keys. Currently, only the key management tool gs_ktool provided by GaussDB Kenel and the online key management service huawei_kms provided by Huawei Cloud are supported. Value range: gs_ktool and huawei_kms

KEY_PATH
A key in the key management tool or service. The KEY_STORE and KEY_PATH parameters can be used to uniquely identify a key entity. When KEY_STORE is set to gs_ktool, the value is gs_ktool or KEY_ID. When KEY_STORE is set to huawei_kms, the value is a 36-byte key ID.

ALGORITHM
This parameter specifies the encryption algorithm used by the key entity. When KEY_STORE is set to gs_ktool, the value can be AES_256_CBC or SM4. When KEY_STORE is set to huawei_kms, the value is AES_256.

[Creating a CEK]

CREATE COLUMN ENCRYPTION KEY column_encryption_key_name WITH(CLIENT_MASTER_KEY = client_master_key_name, ALGORITHM = algorithm_type, ENCRYPTED_VALUE = encrypted_value);

Parameter description:

column_encryption_key_name
This parameter is used as the name of a key object. In the same namespace, the value of this parameter must be unique.

Value range: String, which must comply with the naming convention.

CLIENT_MASTER_KEY
Specifies the CMK used to encrypt the CEK. The value is the CMK object name, which is created using the CREATE CLIENT MASTER KEY syntax.

ALGORITHM
Encryption algorithm to be used by the CEK. The value can be AEAD_AES_256_CBC_HMAC_SHA256, AEAD_AES_128_CBC_HMAC_SHA256, or SM4_SM3.

ENCRYPTED_VALUE (optional)
A key password specified by a user. The key password length ranges from 28 to 256 bits. The derived 28-bit key meets the AES128 security requirements. If the user needs to use AES256, the key password length must be 39 bits. If the user does not specify the key password length, a 256-bit key is automatically generated.

[Example in the GSQL environment]





– (1) Use the key management tool gs_ktool to create a key. The tool returns the ID of the newly generated key.

[cmd] gs_ktool -g


– (2) Use a privileged account to create a common user named alice.

openGauss=# CREATE USER alice PASSWORD ‘********’;


– (3) Use the account of common user alice to connect to the encrypted database and execute the syntax.

gsql -p 57101 postgres -U alice -r -C


– Create a CMK object.

openGauss=> CREATE CLIENT MASTER KEY alice_cmk WITH ( KEY_STORE = gs_ktool , KEY_PATH = “gs_ktool/1” , ALGORITHM = AES_256_CBC);

– Create a CEK object.

openGauss=> CREATE COLUMN ENCRYPTION KEY a_cek WITH VALUES (CLIENT_MASTER_KEY = a_cmk, ALGORITHM = AEAD_AES_256_CBC_HMAC_SHA256);


openGauss=> CREATE COLUMN ENCRYPTION KEY another_cek WITH VALUES (CLIENT_MASTER_KEY = a_cmk, ALGORITHM = SM4_SM3);

3.2..2 Creating a CMK and a CEK in the JDBC Environment



// Create a CMK.

Connection conn = DriverManager.getConnection(“url”,“user”,“password ”);

Statement stmt = conn.createStatement();

int rc = stmt.executeUpdate(“CREATE CLIENT MASTER KEY ImgCMK1 WITH ( KEY_STORE = gs_ktool , KEY_PATH = \“gs_ktool/1\” , ALGORITHM = AES_256_CBC);”);


// Create a CEK.

int rc2 = stmt.executeUpdate(“CREATE COLUMN ENCRYPTION KEY ImgCEK1 WITH VALUES (CLIENT_MASTER_KEY = ImgCMK1, ALGORITHM = AEAD_AES_256_CBC_HMAC_SHA256);”);

3.3 Creating an Encrypted Table
After creating the CMK and CEK, you can use the CEK to create an encrypted table.

An encrypted table can be created in two modes: randomized encryption and deterministic encryption.

Creating an Encrypted Table in the GSQL Environment
[Example]



openGauss=# CREATE TABLE creditcard_info (id_number int,

name text encrypted with (column_encryption_key = ImgCEK, encryption_type = DETERMINISTIC),

credit_card varchar(19) encrypted with (column_encryption_key = ImgCEK1, encryption_type = DETERMINISTIC));

Parameter description:

ENCRYPTION_TYPE indicates the encryption type in the ENCRYPTED WITH constraint. The value of encryption_type_value can be DETERMINISTIC or RANDOMIZED.

Creating an Encrypted Table in the JDBC Environment



int rc3 = stmt.executeUpdate(“CREATE TABLE creditcard_info (id_number int, name varchar(50) encrypted with (column_encryption_key = ImgCEK1, encryption_type = DETERMINISTIC),credit_card varchar(19) encrypted with (column_encryption_key = ImgCEK1, encryption_type = DETERMINISTIC));”);

3.4 Inserting Data into the Encrypted Table and Querying the Data
After an encrypted table is created, you can insert and view data in the encrypted table in encrypted database mode (enabling the connection parameter -C). When the common environment (disabling the connection parameter -C) is used, operations cannot be performed on the encrypted table, and only ciphertext data can be viewed in the encrypted table.

Inserting Data into the Encrypted Table and Viewing the Data in the GSQL Environment



openGauss=# INSERT INTO creditcard_info VALUES (1,‘joe’,‘6217986500001288393’);

INSERT 0 1

openGauss=# INSERT INTO creditcard_info VALUES (2, ‘joy’,‘6219985678349800033’);

INSERT 0 1

openGauss=# select * from creditcard_info where name = ‘joe’;

id_number | name | credit_card

———–+——+———————

1 | joe | 6217986500001288393

(1 row)

Note: The data in the encrypted table is displayed in ciphertext when you use a non-encrypted client to view the data.



openGauss=# select id_number,name from creditcard_info;

id_number | name

———–+——————————————-

1 | \x011aefabd754ded0a536a96664790622487c4d36

2 | \x011aefabd76853108eb406c0f90e7c773b71648f

(2 rows)

Inserting Data into the Encrypted Table and Viewing the Data in the JDBC Environment




// Insert data.

int rc4 = stmt.executeUpdate(“INSERT INTO creditcard_info VALUES (1,‘joe’,‘6217986500001288393’);”);

// Query the encrypted table.

ResultSet rs = null;

rs = stmt.executeQuery(“select * from creditcard_info where name = ‘joe’;”);

// Close the statement object.

stmt.close();

The preceding describes how to use the fully-encrypted database features. For details, see the corresponding sections in the official document. However, for a common user, the functions described above are sufficient to ensure smooth implementation of daily work. In the future, fully-encrypted databases will evolve to be easier to use and provide higher performance. Stay tuned!
Jul 13 '22 #1
0 3834

Sign in to post your reply or Sign up for a free account.

Similar topics

1
by: Johnson | last post by:
Here's what I was doing, it is obviously stupid because i have exceeded the "too many fields defined error" I have to create a database driven application that allows students to update the...
2
by: Norm | last post by:
I have run into problems from time to time (and this is one of those times) using visual basic to access an external database and perform a basic select from statement. When the table is extremely...
3
by: jaYPee | last post by:
i am searching a lot of resources in the net that discusses about database programming. i'm still searching on it and would like to received any links that discusses about database programming in...
2
by: smartie_zhuo | last post by:
Hi,There Recently ,I bought "Beginning Visual Basic 6 Database Programming" by John Connell from second book store,According to book,I should download source code from Wrox website,But I cann't...
2
by: akoutoulakis | last post by:
I would like to make a database application with sqlserever or access. I search for an application sample (source code) with data forms,reports,search forms etc. Do you know any sample like this...
1
by: FlyingBuckner | last post by:
All right be kind, this is my first question on a forum. I need help on selecting the right software to purchase. I have a database set up using Access, 6 users. It is split into Tables and...
28
by: Randy Reimers | last post by:
(Hope I'm posting this correctly, otherwise - sorry!, don't know what else to do) I wrote a set of programs "many" years ago, running in a type of basic, called "Thoroughbred Basic", a type of...
1
by: Ronm | last post by:
Hey Guys, I have a problem which has been driving me crazy for the last days. I'm working on a small project involving: Visual Basic Acces Database ASP and adobe/macromedia Flash,
0
by: Laurynn | last post by:
# (ebook - pdf) - programming - mysql - php database applicati # (Ebook - Pdf)Learnkey How To Design A Database - Sql And Crystal Report # (ebook-pdf) E F Codd - Extending the Database Relational...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.