Updated on 2024-07-04 GMT+08:00

Overview

As enterprise data is migrated to the cloud, data security and privacy protection are facing increasingly severe challenges. The encrypted database will solve the privacy protection issues in the entire data lifecycle, covering network transmission, data storage, and data running status. Furthermore, the encrypted database can implement data privacy permission separation in a cloud scenario, that is, separate data owners from data administrators in terms of the read permission. The encrypted equality query is used to solve equality query issues of ciphertext data.

Encryption Model

A fully-encrypted database uses a multi-level encryption model. The functions of keys in different encryption scenarios are as follows:

  • Data: The encrypted database encrypts data of an encrypted column in SQL statements and decrypts the query result of the encrypted column returned by the database server.
  • Column key: Data is encrypted by a column key, and the column key is encrypted by a master key. The column key ciphertext is stored on the database server.
  • Master key: It is generated and stored in the external key management service. The database driver automatically accesses the external key management service to encrypt and decrypt column keys.

Overall Process

The process of using a fully-encrypted database consists of the following five phases. This section describes the overall process. Using gsql to Operate an Encrypted Database and Using JDBC to Operate an Encrypted Database describe the detailed process.

  1. Preparation phase: First, you need to generate a master key in the external key management service. External key management services include Huawei Cloud key management service. Select one of them as required.
  2. Configuration phase: In an application, environment variables or database driver parameters are used to set information for accessing external key management service. In subsequent operations, the database driver needs to use the configuration information in this phase to access external key management service.
  3. DDL statement execution phase: In this phase, you need to use the key syntax of the encrypted database to define a master key and a column key, define a table, and specify a column in the table as an encrypted column.
  4. DML statement execution phase: After an encrypted table is created, you can directly execute syntax including but not limited to INSERT, SELECT, UPDATE, and DELETE. The database driver automatically encrypts and decrypts data of the encrypted column based on the encryption definition in the previous phase.
  5. Cleanup phase: You can delete the encrypted table, column key, and master key in sequence.

Preparation Phase

If you use the encrypted database for the first time, you need to perform the preparation. The next time you use the database, you can skip this phase.

The encrypted database can use different external keys to manage the master key. Select one of them as required.

  • Huawei Cloud scenario
    1. Register an account with the Huawei Cloud official website and log in to the system.
    2. Search for Identity and Access Management (IAM) on the Huawei Cloud official website. On the page that is displayed, click Create User, set the IAM password for the IAM user, and grant the data encryption workshop (DEW) permission to the new IAM user.

    3. Go back to the login page, click IAM User, and log in to the system as the newly created IAM user. The subsequent operations are all performed by the IAM user.
    4. Search for Data Encryption Workshop on Huawei Cloud. On the page that is displayed, click Key Management Service and click Create Key to create a key. After the key is created, you can see that each key has a key ID. Remember the key ID, which will be used when you create a master key in the DDL statement execution phase.

    5. The key generated in this step is the master key used in the encrypted database. The key is stored in Huawei Cloud key management service. When SQL statements related to encryption and decryption are executed, the database driver automatically accesses the key through the RESTful API of Huawei Cloud.

Configuration Phase

Configuring Parameters for Accessing External Keys

  • Huawei Cloud scenario
    Configure the following information through environment variables.
    [terminal] # export HUAWEI_KMS_INFO='iamUrl=https://iam.{Project}.myhuaweicloud.com/v3/auth/tokens, iamUser={IAM username}, iamPassword={IAM user key}, iamDomain={Account name}, kmsProject={Project}'

    On the Huawei Cloud console, click the username in the upper right corner and go to the API Credentials page. On this page, you can obtain the required parameters, including project, IAM username, and account name. Remember the project ID on this page, which will be used when you create a master key in the DDL statement execution phase.

    Figure 1 Obtaining parameters on the Huawei Cloud page
    # Example
    [terminal] # export HUAWEI_KMS_INFO='iamUrl=https://iam.cn-north-4.myhuaweicloud.com/v3/auth/tokens, iamUser=test_user, iamPassword=**********, iamDomain=test_account, kmsProject=cn-north-4'