The EDB Blog
January 21, 2020

 

By Rajkumar Raghuwanshi, Senior Software Engineer - PLSQL, EDB, and Tushar Ahuja, Senior QA Manager, EDB.

EnterpriseDB provides a high level of database security, which includes in-database password policy management, enhanced auditing for compliance, data encryption, built-in SQL Injection Protection and so on. Along with Vormetric Data Security Platform, it provides encryption for data-at-rest, prevention of privilege user access, policy-driven encryption/decryption and much more at the operating system level. VTE ensures that it does not impact the mission-critical business applications, IT infrastructure and service level agreements.

Fundamentals of VTE 

Vormetric Transparent Encryption (VTE) of Thales security is a transparent block-level encryption with access controls to provide data security. It is simple to deploy and manage. It consists of two main components:

  • Vormetric Transparent Encryption (VTE) – Transparent block-level encryption with access controls.
  • Vormetric Data Security Manager (DSM) – Central key and policy manager for all Vormetric solutions.

Set up for POC

As part of POC for VTE over EnterpriseDB Advanced Server the following set up is created:

1. Vormetric Data Security Manager (DSM) environment with EnterpriseDB host machine with a VTE registered agent

2. Encryption/decryption key created with algorithm AES256 and automatic key rotation with 180 days

3. Policy created with policy type as Live Data Transformation (which only allows the user enterprisedb to access the data/base directory and denies access to all the other users including system root).

 

Figure 1 shows how a policy looks on a DSM console.

Figure 1: Policy on a DSM console

 

VTE file-level encryption

VTE enables file-level encryption using policies to prevent privileged user access. We tested that this does not impact any functionality provided by EDB Advanced Server. With the above setup, it was observed that when the privilege root user tried to access the data/base directory it got permission denied error. Even when the root user did a switch user (su) to enterprisedb the same error is being thrown. When the user enterprisedb (which is authorized) logged in to the system it is able to access the directory. This is depicted in Figure 2.

Figure 2: Access to the data directory 

 

 Figure 3: VTE Logs

 

This security level is verified at a granular level when only the access to the process edb-postgres for the user enterprisedb is allowed. EDB Postgres Advanced Server functions in the same way with and without VTE. Verification is done by running pg_regress suite, streaming replications (master-slave configuration), and other EnterpriseDB utilities which uses file systems like pg_dump, pg_restore, pg_upgrade and so on.

 

Performance Impact

As VTE agent interacts with the DSM server for policy validations before allowing a user or a process to access the file system this results in some performance overhead. We have done some performance benchmarking using direct loads using EDB*Loader and COPY utilities and transactions using the pgbench tool. This overhead is in the acceptable range of 0-20%.

 

Graphical Representation of Performance Impact

The following graphs show the performance impact of VTE with EnterpriseDB Advanced Server.

 

Table 1: Host Specifications with VTE

Specification

설명

운영 체제          

Centos 7x64

CPUs

4명

RAM

8GB

HDD

320 GB

데이터베이스

EnterpriseDB Advanced Server  v11 with VTE agent Installed

 

Policy type

Live Data Transformation

Encryption

Algorithm - AES256

User

Only enterprisedb user allowed

Guard

/var/lib/edb/as11/database/ with policy

 

Figure 4: Impact of VTE with EDB*Loader and COPY 

 

Figure 5: Impact of VTE with PGBENCH