Transparent Data Encryption Richard Banville OpenEdge Fellow, Progress Software Session 130

© 2009 Progress Software Corporation. All rights reserved. Overview: Transparent Data Encryption (TDE) Transparent Application transparent data encryption Full index query support No need to move data Flexible Encrypt individual objects (tables, indexes, lobs) in Type II areas Encrypt individual Type I areas Storage engine encrypts blocks on disk (access neutral) Secure Provides secure encryption key storage Limits access to physical data Important piece of an overall data privacy strategy 2 What Is TDE?

© 2009 Progress Software Corporation. All rights reserved. Data Encryption 3 plain text Encrypted Data Encrypt Decrypt Key value makes it unique. How Does It Work? Cipher

© 2009 Progress Software Corporation. All rights reserved. Data Encryption Encrypt Decrypt Have a nice day Encrypt Decrypt How Does It Work? Nonsensical data Cipher 4 Encrypted Data plain text

© 2009 Progress Software Corporation. All rights reserved. Encrypted Data plain text Data Encryption Encrypt Decrypt Encrypt Having a bad day… How Does It Work? Cipher 5 Nonsensical data Decrypt

© 2009 Progress Software Corporation. All rights reserved. Data Encryption Encrypt Decrypt How Does It Work? Cipher 6 Encrypted Data plain text

© 2009 Progress Software Corporation. All rights reserved. OpenEdge Transparent Data Encryption (TDE) 7 plain text Encrypt Shared Memory Buffer Pool (plain text block) Database Storage Engine Product Install Key store Database Master Key (DMK) Admin/User Passphrase Manual/Automatic Authentication Encryption Policy Area Encryption Policies - What (object) & how (cipher) Read I/O Write I/O How Does It Work? Key store Database Policies Keys Decrypt & Policy Area Encrypted Data

© 2009 Progress Software Corporation. All rights reserved. OpenEdge Transparent Data Encryption (TDE) How Does It Work? 8 Database Storage Engine plain text Encrypt Shared Memory Buffer Pool (plain text block) Database Storage Engine Product Install Read I/O Write I/O Key storePolicy Area Database Policies Keys Decrypt & Key store Database Master Key (DMK) Admin/User Passphrase Manual/Automatic Authentication Encryption Policy Area Encryption Policies - What (object) & how (cipher) Encrypted Data

© 2009 Progress Software Corporation. All rights reserved. OpenEdge Transparent Data Encryption (TDE) How Does It Work? 9 plain text Encrypt Shared Memory Buffer Pool (plain text block) Product Install Read I/O Write I/O Key storePolicy Area Database Policies Keys Decrypt & Database Storage Engine Key store Database Master Key (DMK) Admin/User Passphrase Manual/Automatic Authentication Encryption Policy Area Encryption Policies - What (object) & how (cipher) Encrypted Data

© 2009 Progress Software Corporation. All rights reserved. Thing 1: TDE Availability Transparent Data Encryption OpenEdge product First available in the 10.2B release Requires two products be installed Enterprise OpenEdge Database product Transparent Data Encryption product 10

© 2009 Progress Software Corporation. All rights reserved. Thing 2: The Key Store Stores the Database Master Key (DMK) Makes encrypted data unique Unique per database File named: Securing the DMK in the key store Stored separately from db Protected by passphrase based authentication Not part of database backup (Why not?) 11 The Most Critical Piece Of TDE

© 2009 Progress Software Corporation. All rights reserved. Thing 2: The Key Store Loosing the keys to the kingdom: rm -f mydb.ks Re-mastering your database master key (PBE cipher only) Passphrases have predetermined rules Advantages of DMK PBE Can be regenerated See previous advantage Disadvantages of DMK PBE Can be regenerated (less secure) Needs large passphrase to be effective Must remember passphrase 12 The Most Critical Piece Of TDE

© 2009 Progress Software Corporation. All rights reserved. Thing 3: Encryption Policies Policy Contents Object to encrypt -Table, Index, Lob (Type II storage areas) -Area (Type I storage area) -AI and BI recovery Cipher – algorithm & key size Secure (Key store administrator & DB administrator) Stored in Encryption Policy Area User prevented from direct record access Policy Maintenance Epolicy tool, OpenEdge SQL, Data Admin tool Add, remove, alter (cipher, key) online 13 Describes What And How To Encrypt

© 2009 Progress Software Corporation. All rights reserved. Cipher Choice Governance Business rules Your choice, your responsibility - balance strength & performance 14 RC4-128 AES-128 AES-192 AES-256 DES-56 DES3-168 Security Strength 0 – no encryption DES-PBE 10 RC4-128 AES-128 AES-192 AES-256 DES-56/PBE DES3-168 Performance Cost 0 – no encryption *Graphical data is relative How do I decide?

© 2009 Progress Software Corporation. All rights reserved. Enabling Encryption Easy as 1, 2, 3 15

© 2009 Progress Software Corporation. All rights reserved. Step #1: Enabling Encryption Create a Type II storage area for encryption policies Named Encryption Policy Area Any available user data area number will suffice 16 e Encryption Policy Area:12,32;64. f e Encryption Policy Area:12,32;64. prostrct addonline mydb mydb_epolicy_area.st prostrct list mydb Structure file showing example definition policy area Add the encryption policy using Prostrct Add Create a new structure file which includes new area

© 2009 Progress Software Corporation. All rights reserved. Step #2: Enabling Encryption Does not encrypt any data Decisions, decisions, decisions AI and/or BI (online, offline) Automatic vs manual key store authentication -Management vs security DMK Cipher – security vs availability (PBE cipher) Creates key store (.ks) User vs Admin key store accounts Ready for encryption policy creation 17 proutil -C enableencryption [-biencryption enable | disable] [-aiencryption enable | disable] [-Autostart user | admin] [-Cipher cipher-number] DBKS

© 2009 Progress Software Corporation. All rights reserved. Step #3: Policy Maintenance Three ways to add policy Proutil epolicy tool Data Administration Tool OpenEdge SQL DDL syntax 18

© 2009 Progress Software Corporation. All rights reserved. Step #3: Policy Maintenance Three ways to add policy Proutil epolicy tool Data Administration Tool OpenEdge SQL DDL syntax TI areas or TII Objects Data lazily encrypted Must update before cipher change 19 proutil -C epolicy manageobject-type encrypt | cipher | rekey -Cipher proutil -C epolicy manageobject-type update Current and one previous policy allowed

© 2009 Progress Software Corporation. All rights reserved. Step #3: Policy Maintenance Three ways to add policy Proutil epolicy tool Data Administration Tool -Disabled remotely Type II PUB schema only Multi select UI Local access only Admin Security Encryption Policies Edit Encryption Policies... 20

© 2009 Progress Software Corporation. All rights reserved. Step #3: Policy Maintenance Three ways to add policy proutil epolicy tool Data Administration Tool OpenEdge SQL DDL syntax 21 CREATE TABLE | INDEX... [ ENCRYPT WITH ]...; ALTER TABLE | INDEX | COLUMN SET [ ENCRYPT WITH | DECRYPT | ENCRYPT REKEY ]...; SHOW ENCRYPT ON { ALL [ TABLE | INDEX | LOB ] | TABLE table-name [ WITH INDEX | WITH LOB ] | TABLE table-name ON INDEX index-name };

© 2009 Progress Software Corporation. All rights reserved. Performance Considerations 22

© 2009 Progress Software Corporation. All rights reserved. Performance Considerations Maximize the buffer pool hit-rate Increase -B Consider using an Alternate Buffer Pool (-B2) Normalize data to encrypt Separate private and non private data Read Codd Isolate data to encrypt Use Type II storage areas (object level) Encrypt only necessary indexes Carefully choose cipher (algorithm + key size) Balance security and performance 23

© 2009 Progress Software Corporation. All rights reserved. Summary OpenEdge Transparent Data Encryption Flexible Protects data at rest transparently Very low performance impact TDE is easy to understand Product install Key store Encryption policies TDE is easy to implement Add encryption area Enable database Create encryption policies 24

Transparent Data Encryption Richard Banville OpenEdge Fellow, Progress Software Session 130