Mike's blog

Basic Use of the Fully-encrypted Database

Mike's photo
Mike
·

5 min read

1. Introduction to the Fully-encrypted Database Features

A fully-encrypted database aims to protect privacy throughout the data lifecycle. Data is always encrypted during transmission, computing, and storage regardless of the service scenario or environment. After the data owner encrypts data on the client and sends the encrypted data to the server, even if an attacker manages to exploit some system vulnerability and steal user data, they cannot obtain valuable information. Data privacy is protected.

2. Customer Benefits of the Fully-encrypted Database

The entire service data flow is encrypted during processing. A fully-encrypted database:

  1. Protects data privacy and security throughout the lifecycle on the cloud. Attackers cannot obtain information from the database server regardless of the data status.

  2. Helps cloud service providers earn the trust of third-party users. Users, including service administrators and O&M administrators in enterprise service scenarios and application developers in consumer cloud services, can keep the encryption keys themselves so that even users with high permissions cannot access unencrypted data.

  3. Enables cloud databases to better comply with personal privacy protection laws and regulations.

3. Use of the Fully-encrypted Database

Currently, the fully-encrypted database supports two connection modes: gsql and JDBC. This chapter describes how to use the database in the two connection modes.

3.1 Connecting to a Fully-encrypted Database

  1. Run the gsql -p PORT –d postgres -r –C command to enable the encryption function.

Parameter description:

-p indicates the port number. -d indicates the database name. -C indicates that the encryption function is enabled.

  1. To support JDBC operations on a fully-encrypted database, set enable_ce to 1.

3.2 Creating a User Key

A fully-encrypted database has two types of keys: client master key (CMK) and data encryption key (CEK).

The CMK is used to encrypt the CEK. The CEK is used to encrypt user data.

Before creating a key, use gs_ktool to create a key ID for creating a CMK.

openGauss=# \! gs_ktool -g

The sequence and dependency of creating a key are as follows: creating a key ID > creating a CMK > creating a CEK.

  • 1. Creating a CMK and a CEK in the GSQL Environment

  • [Creating a CMK]

    CREATE CLIENT MASTER KEY client_master_key_name WITH (KEY_STORE = key_store_name, KEY_PATH = "key_path_value", ALGORITHM = algorithm_type);

    Parameter description:

    • client_master_key_name

This parameter is used as the name of a key object. In the same namespace, the value of this parameter must be unique.

Value range: a string. It must comply with the naming convention.

  • KEY_STORE

Tool or service that independently manages keys. Currently, only the key management tool gs_ktool provided by GaussDB Kenel and the online key management service huawei_kms provided by Huawei Cloud are supported. Value range: gs_ktool and huawei_kms

  • KEY_PATH

A key in the key management tool or service. The KEY_STORE and KEY_PATH parameters can be used to uniquely identify a key entity. When KEY_STORE is set to gs_ktool, the value is gs_ktool or KEY_ID. When KEY_STORE is set to huawei_kms, the value is a 36-byte key ID.

  • ALGORITHM

This parameter specifies the encryption algorithm used by the key entity. When KEY_STORE is set to gs_ktool, the value can be AES_256_CBC or SM4. When KEY_STORE is set to huawei_kms, the value is AES_256.

  • [Creating a CEK]

    CREATE COLUMN ENCRYPTION KEY column_encryption_key_name WITH(CLIENT_MASTER_KEY = client_master_key_name, ALGORITHM = algorithm_type, ENCRYPTED_VALUE = encrypted_value);

    Parameter description:

    • column_encryption_key_name

This parameter is used as the name of a key object. In the same namespace, the value of this parameter must be unique.

Value range: String, which must comply with the naming convention.

  • CLIENT_MASTER_KEY

Specifies the CMK used to encrypt the CEK. The value is the CMK object name, which is created using the CREATE CLIENT MASTER KEY syntax.

  • ALGORITHM

Encryption algorithm to be used by the CEK. The value can be AEAD_AES_256_CBC_HMAC_SHA256, AEAD_AES_128_CBC_HMAC_SHA256, or SM4_SM3.

  • ENCRYPTED_VALUE (optional)

A key password specified by a user. The key password length ranges from 28 to 256 bits. The derived 28-bit key meets the AES128 security requirements. If the user needs to use AES256, the key password length must be 39 bits. If the user does not specify the key password length, a 256-bit key is automatically generated.

[Example in the GSQL environment]

1

-- (1) Use the key management tool gs_ktool to create a key. The tool returns the ID of the newly generated key.

  • 2. Creating a CMK and a CEK in the JDBC Environment

    1

    // Create a CMK.

3.3 Creating an Encrypted Table

After creating the CMK and CEK, you can use the CEK to create an encrypted table.

An encrypted table can be created in two modes: randomized encryption and deterministic encryption.

  • Creating an Encrypted Table in the GSQL Environment

[Example]

1

openGauss=# CREATE TABLE creditcard_info (id_number int,

Parameter description:

ENCRYPTION_TYPE indicates the encryption type in the ENCRYPTED WITH constraint. The value of encryption_type_value can be DETERMINISTIC or RANDOMIZED.

  • Creating an Encrypted Table in the JDBC Environment

1

int rc3 = stmt.executeUpdate("CREATE TABLE creditcard_info (id_number int, name varchar(50) encrypted with (column_encryption_key = ImgCEK1, encryption_type = DETERMINISTIC),credit_card varchar(19) encrypted with (column_encryption_key = ImgCEK1, encryption_type = DETERMINISTIC));");

3.4 Inserting Data into the Encrypted Table and Querying the Data

After an encrypted table is created, you can insert and view data in the encrypted table in encrypted database mode (enabling the connection parameter -C). When the common environment (disabling the connection parameter -C) is used, operations cannot be performed on the encrypted table, and only ciphertext data can be viewed in the encrypted table.

  • Inserting Data into the Encrypted Table and Viewing the Data in the GSQL Environment

    1

    openGauss=# INSERT INTO creditcard_info VALUES (1,'joe','6217986500001288393');

    Note: The data in the encrypted table is displayed in ciphertext when you use a non-encrypted client to view the data.

    1

    openGauss=# select id_number,name from creditcard_info;

  • Inserting Data into the Encrypted Table and Viewing the Data in the JDBC Environment

    1

    // Insert data.

    The preceding describes how to use the fully-encrypted database features. For details, see the corresponding sections in the official document. However, for a common user, the functions described above are sufficient to ensure smooth implementation of daily work. In the future, fully-encrypted databases will evolve to be easier to use and provide higher performance. Stay tuned!

opengauss