search
sun-outline
light
Blogchevron-rightBasic Use of the Fully-encrypted Database

Basic Use of the Fully-encrypted Database

Jinxiang Xiao2021-10-16Basic Use of the Fully-encrypted Database

Basic Use of the Fully-encrypted Database

1. Introduction to the Fully-encrypted Database Features

A fully-encrypted database aims to protect privacy throughout the data lifecycle. Data is always encrypted during transmission, computing, and storage regardless of the service scenario or environment. After the data owner encrypts data on the client and sends the encrypted data to the server, even if an attacker manages to exploit some system vulnerability and steal user data, they cannot obtain valuable information. Data privacy is protected.

2. Customer Benefits of the Fully-encrypted Database

The entire service data flow is encrypted during processing. A fully-encrypted database:

  1. Protects data privacy and security throughout the lifecycle on the cloud. Attackers cannot obtain information from the database server regardless of the data status.
  2. Helps cloud service providers earn the trust of third-party users. Users, including service administrators and O&M administrators in enterprise service scenarios and application developers in consumer cloud services, can keep the encryption keys themselves so that even users with high permissions cannot access unencrypted data.
  3. Enables cloud databases to better comply with personal privacy protection laws and regulations.

3. Use of the Fully-encrypted Database

Currently, the fully-encrypted database supports two connection modes: gsql and JDBC. This chapter describes how to use the database in the two connection modes.

3.1 Connecting to a Fully-encrypted Database

  1. Run the gsql -p PORT –d postgres -r –C command to enable the encryption function.

Parameter description:

-p indicates the port number. -d indicates the database name. -C indicates that the encryption function is enabled.

  1. To support JDBC operations on a fully-encrypted database, set enable_ce to 1.

3.2 Creating a User Key

A fully-encrypted database has two types of keys: client master key (CMK) and data encryption key (CEK).

The CMK is used to encrypt the CEK. The CEK is used to encrypt user data.

Before creating a key, use gs_ktool to create a key ID for creating a CMK.

openGauss=# \! gs_ktool -g

The sequence and dependency of creating a key are as follows: creating a key ID > creating a CMK > creating a CEK.

  • 1. Creating a CMK and a CEK in the GSQL Environment

  • [Creating a CMK]

    CREATE CLIENT MASTER KEY client_master_key_name WITH (KEY_STORE = key_store_name, KEY_PATH = "key_path_value", ALGORITHM = algorithm_type);

    Parameter description:

    • client_master_key_name

    This parameter is used as the name of a key object. In the same namespace, the value of this parameter must be unique.

    Value range: a string. It must comply with the naming convention.

    • KEY_STORE

    Tool or service that independently manages keys. Currently, only the key management tool gs_ktool provided by GaussDB Kenel and the online key management service huawei_kms provided by Huawei Cloud are supported. Value range: gs_ktool and huawei_kms

    • KEY_PATH

    A key in the key management tool or service. The KEY_STORE and KEY_PATH parameters can be used to uniquely identify a key entity. When KEY_STORE is set to gs_ktool, the value is gs_ktool or KEY_ID. When KEY_STORE is set to huawei_kms, the value is a 36-byte key ID.

    • ALGORITHM

    This parameter specifies the encryption algorithm used by the key entity. When KEY_STORE is set to gs_ktool, the value can be AES_256_CBC or SM4. When KEY_STORE is set to huawei_kms, the value is AES_256.

  • [Creating a CEK]

    CREATE COLUMN ENCRYPTION KEY column_encryption_key_name WITH(CLIENT_MASTER_KEY = client_master_key_name, ALGORITHM = algorithm_type, ENCRYPTED_VALUE = encrypted_value);

    Parameter description:

    • column_encryption_key_name

    This parameter is used as the name of a key object. In the same namespace, the value of this parameter must be unique.

    Value range: String, which must comply with the naming convention.

    • CLIENT_MASTER_KEY

    Specifies the CMK used to encrypt the CEK. The value is the CMK object name, which is created using the CREATE CLIENT MASTER KEY syntax.

    • ALGORITHM

    Encryption algorithm to be used by the CEK. The value can be AEAD_AES_256_CBC_HMAC_SHA256, AEAD_AES_128_CBC_HMAC_SHA256, or SM4_SM3.

    • ENCRYPTED_VALUE (optional)

    A key password specified by a user. The key password length ranges from 28 to 256 bits. The derived 28-bit key meets the AES128 security requirements. If the user needs to use AES256, the key password length must be 39 bits. If the user does not specify the key password length, a 256-bit key is automatically generated.

    [Example in the GSQL environment]

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    -- (1) Use the key management tool gs_ktool to create a key. The tool returns the ID of the newly generated key.

    [cmd] gs_ktool -g

    -- (2) Use a privileged account to create a common user named alice.

    openGauss=# CREATE USER alice PASSWORD '********';

    -- (3) Use the account of common user alice to connect to the encrypted database and execute the syntax.

    gsql -p 57101 postgres -U alice -r -C

    -- Create a CMK object.

    openGauss=> CREATE CLIENT MASTER KEY alice_cmk WITH ( KEY_STORE = gs_ktool , KEY_PATH = "gs_ktool/1" , ALGORITHM = AES_256_CBC);

    -- Create a CEK object.

    openGauss=> CREATE COLUMN ENCRYPTION KEY a_cek WITH VALUES (CLIENT_MASTER_KEY = a_cmk, ALGORITHM = AEAD_AES_256_CBC_HMAC_SHA256);

    openGauss=> CREATE COLUMN ENCRYPTION KEY another_cek WITH VALUES (CLIENT_MASTER_KEY = a_cmk, ALGORITHM = SM4_SM3);

  • 2. Creating a CMK and a CEK in the JDBC Environment

    1

    2

    3

    4

    5

    6

    7

    8

    // Create a CMK.

    Connection conn = DriverManager.getConnection("url","user","password");

    Statement stmt = conn.createStatement();

    int rc = stmt.executeUpdate("CREATE CLIENT MASTER KEY ImgCMK1 WITH ( KEY_STORE = gs_ktool , KEY_PATH = \"gs_ktool/1\" , ALGORITHM = AES_256_CBC);");

    // Create a CEK.

    int rc2 = stmt.executeUpdate("CREATE COLUMN ENCRYPTION KEY ImgCEK1 WITH VALUES (CLIENT_MASTER_KEY = ImgCMK1, ALGORITHM = AEAD_AES_256_CBC_HMAC_SHA256);");

3.3 Creating an Encrypted Table

After creating the CMK and CEK, you can use the CEK to create an encrypted table.

An encrypted table can be created in two modes: randomized encryption and deterministic encryption.

  • Creating an Encrypted Table in the GSQL Environment

[Example]

1

2

3

openGauss=# CREATE TABLE creditcard_info (id_number int,

name text encrypted with (column_encryption_key = ImgCEK, encryption_type = DETERMINISTIC),

credit_card varchar(19) encrypted with (column_encryption_key = ImgCEK1, encryption_type = DETERMINISTIC));

Parameter description:

ENCRYPTION_TYPE indicates the encryption type in the ENCRYPTED WITH constraint. The value of encryption_type_value can be DETERMINISTIC or RANDOMIZED.

  • Creating an Encrypted Table in the JDBC Environment

1

2

int rc3 = stmt.executeUpdate("CREATE TABLE creditcard_info (id_number int, name varchar(50) encrypted with (column_encryption_key = ImgCEK1, encryption_type = DETERMINISTIC),credit_card varchar(19) encrypted with (column_encryption_key = ImgCEK1, encryption_type = DETERMINISTIC));");

3.4 Inserting Data into the Encrypted Table and Querying the Data

After an encrypted table is created, you can insert and view data in the encrypted table in encrypted database mode (enabling the connection parameter -C). When the common environment (disabling the connection parameter -C) is used, operations cannot be performed on the encrypted table, and only ciphertext data can be viewed in the encrypted table.

  • Inserting Data into the Encrypted Table and Viewing the Data in the GSQL Environment

    1

    2

    3

    4

    5

    6

    7

    8

    9

    openGauss=# INSERT INTO creditcard_info VALUES (1,'joe','6217986500001288393');

    INSERT 0 1

    openGauss=# INSERT INTO creditcard_info VALUES (2, 'joy','6219985678349800033');

    INSERT 0 1

    openGauss=# select * from creditcard_info where name = 'joe';

    id_number | name | credit_card

    -----------+------+---------------------

    1 | joe | 6217986500001288393

    (1 row)

    Note: The data in the encrypted table is displayed in ciphertext when you use a non-encrypted client to view the data.

    1

    2

    3

    4

    5

    6

    openGauss=# select id_number,name from creditcard_info;

    id_number | name

    -----------+-------------------------------------------

    1 | \x011aefabd754ded0a536a96664790622487c4d36

    2 | \x011aefabd76853108eb406c0f90e7c773b71648f

    (2 rows)

  • Inserting Data into the Encrypted Table and Viewing the Data in the JDBC Environment

    1

    2

    3

    4

    5

    6

    7

    // Insert data.

    int rc4 = stmt.executeUpdate("INSERT INTO creditcard_info VALUES (1,'joe','6217986500001288393');");

    // Query the encrypted table.

    ResultSet rs = null;

    rs = stmt.executeQuery("select * from creditcard_info where name = 'joe';");

    // Close the statement object.

    stmt.close();

    The preceding describes how to use the fully-encrypted database features. For details, see the corresponding sections in the official document. However, for a common user, the functions described above are sufficient to ensure smooth implementation of daily work. In the future, fully-encrypted databases will evolve to be easier to use and provide higher performance. Stay tuned!