Help Center/ GaussDB/ Feature Guide(Centralized_3.x)/ Setting Encrypted Equality Query/ Enhancing Security in the Configuration Phase
Updated on 2024-07-04 GMT+08:00

Enhancing Security in the Configuration Phase

Setting Environment Variables Securely

Sensitive information exists in HUAWEI_KMS_INFO. You are advised to set the environment variables as follows:
  1. Set temporary environment variables: When an encrypted database is used, run the export command to set environment variables. After the database is used, run the unset command to clear environment variables. In this method, OS logs may record sensitive information. You are advised to use process-level environment variables or JDBC APIs to set connection parameters.
  2. Set process-level environment variables: In the application code, set environment variables through programming APIs. The following are examples of setting environment variables in different programming languages:
    1. C/C++: setenv(name, value)
    2. Go: os.Setenv(name, value)
    3. Java does not support the setting of process-level environment variables. Connection parameters can be set only through the JDBC APIs.

Verifying External Key Management Service Identity

When the database driver accesses Huawei Cloud KMS, to prevent attackers from masquerading as the KMS, the CA certificate can be used to verify the validity of the key server during the establishment of HTTPS connections between the database driver and the KMS. Therefore, you need to configure the CA certificate in advance. If the CA certificate is not configured, the key management service identity will not be verified. The configuration method is as follows:

In the Huawei Cloud scenario, add the following parameters to the environment variables:
export HUAWEI_KMS_INFO='Other parameters, iamCaCert=Path/IAM CA certificate file, kmsCaCert=Path/KMS CA certificate file'

Most browsers automatically download a CA certificate of a website and provide the certificate export function. Some websites (such as https://www.ssleye.com/ssltool/certs_down.html) provide the function of automatically downloading CA certificates. However, the CA certificates may be unavailable due to proxy or gateway in the local environment. Therefore, you are advised to use a browser to download the CA certificate. You can perform the following steps:

The RESTful API is used to access the KMS. When you enter the URL of the API in the address box of the browser, ignore the failure page in 2. The browser has automatically downloaded the CA certificate in advance even if the failure page is displayed.

  1. Enter the domain name: Open a browser. In the Huawei Cloud scenario, enter the IAM service domain name (iam.cn-north-4.myhuaweicloud.com/v3/auth/tokens) and KMS domain name (kms.cn-north-4.myhuaweicloud.com/v1.0).
  2. Search for a certificate: Each time you enter a domain name, find the SSL connection information and click the information to view the certificate content.

  3. Export the certificate. On the Certificate Viewer page, certificates may be classified into multiple levels. You only need to select the upper-level certificate of the domain name and click Export to generate a certificate file, that is, the required certificate file.

  4. Upload the certificate: Upload the exported certificate to the application and set the preceding parameters.