The former Porticor support site is now frozen. Please refer to our Intuit page.

Using high quality encryption keys with your AWS RDS database

Porticor provides an out-of-the-box solution that encrypts your entire database. However we often encounter customer requirements for encrypting a specific field. Sometimes customers want to use Amazon Web Services Relational Database Service (AWS RDS) and on top of that, encrypt specific fields in the DB schema.

Customers want to enjoy high quality encryption keys which are:

  • Stored with high security
  • Usable in flexible cloud scenarios
  • Created with high entropy (true randomness).

Your Built-In Encryption

Most modern databases have built-in encryption capabilities. Here we look at the MySQL flavor of AWS RDS as a well-known and illustrative example, but similar examples will hold true whatever you may be using (Oracle, SQL Server).
The SQL language in MySQL has been enhanced with AES_ENCRYPT and AES_DECRYPT built-in functions. These allow you to write SQL statement like

UPDATE T1 SET T1.f = AES_ENCRYPT(value, customer_encryption_key) WHERE ...

This will encrypt the value before it is saved into the database. Also, when you retrieve the value you can use AES_DECRYPT to decrypt it, in your SELECT statement. See your database manual for details.

Getting a High Quality Key

As you can see, as long as you have a high quality value for customer_encryption_key, it is pretty easy to encrypt fields. You can obtain a high quality key from the Porticor key management API. This is a RESTful API which may be used to call a secure endpoint on your Porticor Virtual Appliance.

For example, the Porticor API will generate a random, high entropy key for you if you request it to do so. To do this, you can use the RESTful PUT method, the generate parameter and the URL:

/api/protected_items/:name

where :name is the name of the key that will be created.
The encryption will be happening in memory in the MySQL server in this scenario. To complete the security, you should of course be using encrypted communications to your database in any case.

For the full documentation and code samples, please contact us.