The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards

Transcription

1 ADVANCED PERSISTENT THREAT BACKDOOR BOTNET BRUTE-FORCE BUFFER OVERFLOW CLICKJACKING CROSS-SITE REQUEST FORGERY CROSS-SITE SCRIPTING CVE DATA LEAK DENIAL OF SERVICE DUQU EAVESDROPPING EXPLOIT FRAUD HACKERS HEARTBLEED INSIDERS KEYLOGGER MALWARE MAN IN THE MIDDLE METASPLOIT PAYLOAD PHISHING POODLE PRIVILEGE ESCALATION PWNED RETURN ORIENTED PROGRAMMING ROOTKIT SCRIPT KIDDIES SHELLSHOCK SNIFFER SOCIAL ENGINEERING SPOOFING SQL INJECTION STAGEFRIGHT STUXNET TROJAN TYPOSQUATTING VULNERABILITY WE ALL DIE ADVANCED PERSISTENT THREAT BACKDOOR BOTNET BRUTE-FORCE i n M BUFFER a r OVERFLOW i a D B CLICKJACKING 1 0 CROSS-SITE. 1 REQUEST FORGERY CROSS-SITE SCRIPTING CVE DATA LEAK DENIAL OF SERVICE DUQU EAVESDROPPING EXPLOIT FRAUD HACKERS HEARTBLEED INSIDERS KEYLOGGER MALWARE MAN IN THE MIDDLE METASPLOIT PAYLOAD PHISHING POODLE PRIVILEGE ESCALATION PWNED RETURN Sergei Golubchik, Chief Architect MariaDB Data at Rest Encryption in MariaDB 10.1 D aa tt aa aa tt R Serrgeii Gollub chiik Chii eff Arrcchiitt ecctt M arrii adb SCRIPTING CVE DATA LEAK DENIAL OF SERVICE DUQU EAVESDROPPING EXPLOIT FRAUD HACKERS HEARTBLEED INSIDERS KEYLOGGER MALWARE MAN IN THE MIDDLE METASPLOIT PAYLOAD PHISHING POODLE PRIVILEGE ESCALATION PWNED RETURN ORIENTED PROGRAMMING ROOTKIT SCRIPT KIDDIES SHELLSHOCK SNIFFER SOCIAL ENGINEERING SPOOFING SQL INJECTION STAGEFRIGHT STUXNET TROJAN TYPOSQUATTING VULNERABILITY S WE ALL E DIE C U R II T Y The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards 1 of 9 12/21/15, 11:39 AM

2 D aa tt aa aa tt R Percona Live Europe 2015: Data at Rest Encryption in Maria... and even then I have my doubts. Eugene H. Spafford, 1989 T h rr e a tt m o d e ll SQL iinjje cttiionss,, XSS, D i i ss p l aa cc ee d H D D,, Sttandarrdss,, pollii ciiess,, g u ii d e ll ii n e s In the Application In the Database 2 of 9 12/21/15, 11:39 AM

3 In the Filesystem Applliicc attiion ll e v ell enccrryptt Most flexible (per-user, per-column, per-table) Nobody on database server can see the data Costly to implement Allows only a very limited subset of queries No data manipulations (SELECT * FROM t1) Only = and <=> (deterministic encryption) ORDER BY and <, > (order preserving encryption) Fiille sy sttem llevell encrrypttiion Full power of DBMS is available Easy to implement Any local user (and malware) can access the data (file access permissions help, but not 3 of 9 12/21/15, 11:39 AM

4 always possible) Does not protect against malicious root user Cannot be done per-user or per-table D aa tt aa b aa ss ee l l ee vv ee l l ee n cc rr Full power of DBMS is available Easy to implement Only database can see the data Per-table encryption, per-table keys, performance Cannot be done per-user Does not protect against malicious root user I n M a r i a D B D aa tt aa aa tt rr ee ss t O nn tt hh ee d aa tt aa 4 of 9 12/21/15, 11:39 AM

5 D aa tt aa not metadata not configs not in transfer not in memory C o n cc e p tt ss En crrypttiion key,, key i K e y rr o tt a tt ii o n,, k e E n c rr y p tt ii o n p ll u g ii n,, k e y U ss ee K rr e y m a n a g specifies key id defines the policy specifies key version implements the policy 5 of 9 12/21/15, 11:39 AM

6 W hh aa t t i i ss ee nn cc r Percona Live Europe 2015: Data at Rest Encryption in Maria... XtraDB/InnoDB tablespaces XtraDB/InnoDB log files Binary logs Aria tables Temporary files En crrypttiion pllugiin s Implement encryption and key management f ii l e _ k e y _ m a n a g e m e n tplugin keys are stored in a file static keys, no rotation Very simple API g e tt _ ll a tt e s tt _ k e y _ v e rr s ii o n (( II D )) g e tt _ k e y (( II D,, V E R S II O N )) A p rr o p o ss XtraDB/InnoDB page compression XtraDB/InnoDB data scrubbing 6 of 9 12/21/15, 11:39 AM

7 H oo w tt oo E n a b ll ii n g Serr verr p ll u g ii n s varriiablless S Q L c o m m a n d ss P ll u g ii n ss [mariadb] plugin-load-add=file_key_management file_key_management_filename=/mnt/usb/secret.txt file_key_management_encryption_algorithm=aes_ctr S e rr v e rr [mariadb] innodb-encrypt-tables innodb-encrypt-log aria-encrypt-tables encrypt-tmp-disk-tables encrypt-tmp-files encrypt-binlog!include enable_encryption.preset S Q L (( o p tt ii o n a ll )) 7 of 9 12/21/15, 11:39 AM

8 Q uu ee ss tt i i o Percona Live Europe 2015: Data at Rest Encryption in Maria... CREATE TABLE secret ( id int, value varchar(255) ) ENCRYPTED=YES ENCRYPTION_KEY_ID=17; CREATE TABLE public ( id int, value varchar(255) ) ENCRYPTED=NO; Xttrr adb / IInnoDB (( opttiion all )) [mariadb] innodb-encrypt-tables = FORCE innodb-default-encryption-key-id = 11 innodb-encryption-threads = 4 innodb-encryption-rotation-iops = 200 innodb-encryption-rotate-key-age = 2 B e n cc h m a rr k ss XtraDB/InnoDB encryption: < 1 % (ro) (rw) % Temporary files encryption: % (filesort) Binary log encryption: < 4 % 8 of 9 12/21/15, 11:39 AM

9 T h a n k y o u!! 9 of 9 12/21/15, 11:39 AM