Shulou(Shulou.com)06/01 Report--

This article is a detailed introduction to "how to ensure database security in RavenDB". The content is detailed, the steps are clear, and the details are properly handled. I hope this article "how to ensure database security in RavenDB" can help you solve your doubts. Let's go deeper and learn new knowledge together with the ideas of the small editor.

How does RavenDB successfully protect databases in transit and at rest?

With cybercrime estimated to cost the global economy more than $1 trillion by 2020, database security has never been more important. In order to properly protect the database, you must protect the data in transit between the server and the node, as well as the data at rest on the server.

Encryption at rest protects data stored on servers from malicious viewing, theft, or other access. For example, if your disk is lost or stolen, an attacker will have full access to your data. However, encrypted data cannot be read, and attackers will only see it as random noise.

How RavenDB handles static encryption

A common problem with database security is that it can become too complex to understand and implement. As a result, it is often postponed, forgotten or abandoned altogether. RavenDB's solution is to handle security issues in the background, requiring users to fully protect the database with just a few clicks during setup. (Of course, as with most things in RavenDB, you have the option of getting more practice if you want.)

RavenDB uses an authenticated encryption scheme called XChaCha20Poly1305 with a 256-bit key. The details of XChaCha20Poly1305 are far beyond the scope of this article, but it is important that it works very well, has been thoroughly reviewed by industry experts, and standardized by the IETF (Internet Engineering Task Force).

Data is encrypted at the lowest possible level-the storage level-using RavenDB's own custom storage engine; Voron. This layer of encryption is completely transparent to other levels of the server, which means you never have to deal with its complexity.

Another advantage of performing encryption at this layer is that it is much faster, which helps offset the inherent performance costs of encryption.

enable encryption

If it transmits data in an unencrypted form for the world to see, then having an encrypted database doesn't make much sense. To avoid this error, RavenDB requires that you enable authentication and HTTPS to create an encrypted database. The good news is that authentication and HTTPS are automatically set when you select Security Mode in the RavenDB Setup Wizard.

If you want to set up authentication your own way, you can follow the instructions provided here.

Once in secure mode, you can create an encrypted database using Studio, as shown in the figure below, or manually using the REST API and client API.

Yeah, it looks simple.

Note: You cannot enable encryption on an existing database; it must be done at creation time. However, you can export the database and import the data into a new encrypted database.

After this step, you will get the database key.

Keys in RavenDB

A key is a short, random-looking string of characters that can be used to mathematically convert your data into an unrecognized format and return it.

When you create an encrypted database in the studio, you will get a key in text form and a printable QR code. It is important to save it, otherwise you will never see it again.

No keys are required to access data on the RavenDB server: this depends on the access rights of authenticated users. However, you do need keys for key functions, such as restoring databases from backups and moving data files between servers.

If you use the API to create a database, you can find more information about keys here.

Key management is really important.

Do you know what it feels like to lock yourself out of a house, car or hotel room? Locking yourself out of the database is worse.

The only way to convert the data in an encrypted database back into readable format is if you know the encryption key. If you lose it, you may never be able to access your data again. Was.

RavenDB holds the key internally and will use it to store and retrieve data. But if you need to recover from backups, rebuild servers, or recover from disasters, you definitely need keys.

The importance of securing your key cannot be overemphasized, not only so that you do not lose it, but also to prevent others from gaining access to your database.

Locking a physical copy of the key in a very secure location is a simple and very secure way to store the key. After all, you can't hack into a locked locker. That's why RavenDB gives you the keys in the form of printable QR codes.

Each database in RavenDB has its own key, and all of these database keys are encrypted by the server master key. This server master key is encrypted differently depending on your operating system. For Windows, it is encrypted by DPAPI associated with Windows passwords, and for Linux, it is handled by file system permissions. The end result is the same: ensure that only the user who created the database has access to the key.

If you want to store and retrieve it in your own way, you can also tell RavenDB to run the specified executable file to get the server master key. This can be used to set up integration with HSMs, key vaults, or cloud-based Key Management Service.

Your data is not encrypted with a database key. Instead, it is encrypted by a derived key generated from the database key. They are created in such a way that they cannot be reverse-engineered to compute database keys, and having separate keys ensures that if an attacker does somehow figure out one key, they cannot use it anywhere else.

As important as they are, you rarely need to actually use your keys. You only need to use them in special cases, such as restoring a database from a backup, or if you want to add nodes to the database using the same database key.

What's encrypted and what's not?

When encryption is enabled, plain text data is never written to disk. Data is decrypted in memory only during an active transaction, and even then only the specific data required for the transaction is decrypted. When the operating system runs low on memory, it may send data from memory to disk, but that data will still exist in encrypted form. Erases associated memory immediately after transaction completion.

The exception to using only encrypted data is special temporary buffers for compression, recovery, and other such functions. These files must be stored unencrypted in memory, however, they are kept in locked memory areas so that the operating system does not page them to disk and the data does not leak. Locking data in memory can cause failure if there isn't enough physical RAM available for RavenDB locking, so if RAM is limited, you might want to read more and learn how to change the relevant settings here.

By default, server storage is not encrypted. It contains server-wide information such as database records and comparison exchange values. It also stores database keys, although these keys are stored encrypted. If necessary, you can enable server storage encryption by following the instructions here.

encrypted or unencrypted

Strong and comprehensive encryption is just a few clicks away during setup, and you might want to enable it on every database you create. In most cases, this is the right choice. However, it is worth remembering that security always comes at a cost.

In RavenDB, for most typical scenarios, the performance cost of encryption is only 15-20%, and some extra memory is used to temporarily store decrypted data. These are small fees for keeping your data safe, so unless you are absolutely sure that encryption is not needed, it is strongly recommended that you turn them on.

Read here, this article "How to ensure database security in RavenDB" article has been introduced, want to master the knowledge points of this article still need to practice to understand, if you want to know more about the relevant content of the article, welcome to pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.