Using high quality encryption keys with your AWS RDS database
Porticor provides an out-of-the-box solution that encrypts your entire database. However we often encounter customer requirements for encrypting a specific field. Sometimes customers want to use Amazon Web Services Relational Database Service (AWS RDS) and on top of that, encrypt specific fields in the DB schema.
Customers want to enjoy high quality encryption keys which are:
- Stored with high security
- Usable in flexible cloud scenarios
- Created with high entropy (true randomness).
Most modern databases have built-in encryption capabilities.
Here we look at the MySQL flavor of AWS RDS as a well-known and
illustrative example, but similar examples will hold true whatever
you may be using (Oracle, SQL Server).
The SQL language in MySQL has been enhanced with
functions. These allow you to write SQL statement like
UPDATE T1 SET T1.f = AES_ENCRYPT(value, customer_encryption_key) WHERE ...
This will encrypt the value before it is saved into the
database. Also, when you retrieve the value you can use
AES_DECRYPT to decrypt it, in your
statement. See your database manual for details.
As you can see, as long as you have a high quality value for
customer_encryption_key, it is pretty easy to encrypt
fields. You can obtain a high quality key from the Porticor key
management API. This is a RESTful API which may be used to call a
secure endpoint on your Porticor Virtual Appliance.
For example, the Porticor API will generate a random, high
entropy key for you if you request it to do so. To do this, you can
use the RESTful
PUT method, the
parameter and the URL:
:name is the name of the key that will be
The encryption will be happening in memory in the MySQL server in this scenario. To complete the security, you should of course be using encrypted communications to your database in any case.
For the full documentation and code samples, please contact us.