zydronium/getnamingo-registry
1
0
Fork 0
mirror of https://github.com/getnamingo/registry.git synced 2025-05-10 08:48:34 +02:00
Code Issues Projects Releases Packages Wiki Activity
getnamingo-registry/docs/encryption.md
Pinga f792af87d2 Added database encryption guide
2023-11-30 17:07:39 +02:00

146 lines
No EOL
4.8 KiB
Markdown
Raw Blame History

# Namingo Registry Data Encryption
To ensure GDPR compliance and uphold the highest standards of data privacy, this guide outlines essential strategies for encrypting sensitive data within the Namingo registry. Our focus is to provide a clear and effective approach to database encryption, safeguarding privacy and ensuring the integrity of our users' data.
## MariaDB
### 1. Create Encryption Keys
This process involves creating a directory for the encryption keys, generating the keys, and setting the appropriate permissions.
```bash
mkdir -p /etc/mysql/encryption
echo "1;"$(openssl rand -hex 32) > /etc/mysql/encryption/keyfile
openssl rand -hex 128 > /etc/mysql/encryption/keyfile.key
openssl enc -aes-256-cbc -md sha1 -pass file:/etc/mysql/encryption/keyfile.key -in /etc/mysql/encryption/keyfile -out /etc/mysql/encryption/keyfile.enc
rm -f /etc/mysql/encryption/keyfile
chown -R mysql:mysql /etc/mysql
chmod -R 500 /etc/mysql
```
### 2. Update MariaDB Configuration
Edit ```/etc/my.cnf.d/server.cnf``` and add the following under ```[mariadb]```:
```bash
plugin_load_add = file_key_management
file_key_management_filename = /etc/mysql/encryption/keyfile.enc
file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key
file_key_management_encryption_algorithm = AES_CTR
innodb_encrypt_tables = FORCE
innodb_encrypt_log = ON
innodb_encrypt_temporary_tables = ON
encrypt_tmp_disk_tables = ON
encrypt_tmp_files = ON
encrypt_binlog = ON
aria_encrypt_tables = ON
innodb_encryption_threads = 4
innodb_encryption_rotation_iops = 2000
```
### 3. Restart MariaDB
```bash
systemctl restart mariadb
```
### 4. Removing TDE
To disable TDE, execute the following command in the MariaDB command tool:
```bash
SET GLOBAL innodb_encrypt_tables = OFF;
```
### Disclaimer
- This guide provides basic TDE implementation.
- It's recommended not to store the encryption key on the same server. Consider using external key management solutions like Hashicorp Vault Encryption Key Plugin or AWS Key Management Encryption Plugin for enhanced security.
- Always ensure you have backups before making significant changes to your database configuration.
## MySQL
### 1. Create Encryption Keys
This process involves creating a directory for the encryption keys, generating the keys, and setting the appropriate permissions.
```bash
mkdir -p /var/lib/mysql-keyring
openssl rand -hex 32 > /var/lib/mysql-keyring/keyfile
chown -R mysql:mysql /var/lib/mysql-keyring
chmod -R 500 /var/lib/mysql-keyring
```
### 2. Update MySQL Configuration
You need to edit the MySQL configuration file, typically located at ```/etc/mysql/mysql.conf.d/mysqld.cnf```, to enable encryption and specify the keyring file path.
```bash
[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data=/var/lib/mysql-keyring/keyfile
# Enable InnoDB Table Encryption
innodb_encrypt_tables=ON
innodb_encrypt_log=ON
innodb_encryption_threads=4
# Additional optional settings
encrypt_tmp_disk_tables=ON
encrypt_binlog=ON
```
### 3. Restart MySQL
After updating the configuration, restart MySQL to apply the changes.
```bash
systemctl restart mysql
```
### 4. Removing TDE
To disable TDE, execute the following command in the MySQL command tool:
```bash
SET GLOBAL innodb_encrypt_tables = OFF;
```
### Disclaimer
- This is a basic guide for implementing TDE in MySQL.
- Storing the encryption key on the same server as the database is not recommended for high security. Consider using external key management solutions like the AWS Key Management Service or other external keyring plugins for better security practices.
- Always ensure you have backups before making significant changes to your database configuration.
## PostgreSQL
eCryptfs encrypts files at the file system level, securing the data stored by PostgreSQL. This method provides encryption at rest, meaning the data is encrypted when stored on disk.
### 1. Install eCryptfs
On a Linux-based system, you can usually install eCryptfs through the package manager. For example, on Ubuntu, you can use ```sudo apt-get install ecryptfs-utils```.
### 2. Setup Encrypted Directory
Set up an encrypted directory where PostgreSQL will store its data files. This involves creating a new directory and mounting it with eCryptfs.
You can use the ```ecryptfs-setup-private``` script to set up a private directory quickly.
### 3. Configure PostgreSQL to Use Encrypted Directory
Change the data directory of PostgreSQL to point to the encrypted directory. This usually involves updating the ```data_directory``` setting in the PostgreSQL configuration file (```postgresql.conf```).
### 4. Migrate Existing Data (if necessary)
If you're encrypting an existing PostgreSQL installation, you'll need to migrate the data to the encrypted directory. This can be done by copying the existing data files to the new directory.
### 5. Restart PostgreSQL
After changing the data directory, restart the PostgreSQL server.
Reference in a new issue View git blame Copy permalink