Server General KMS for MySQL

The Key Management Service For MySQL TDE Customers

Technical Information

The security of any cryptography-enabled system ultimately depends on the security of the cryptographic material used. Key generation, storage, and/or distribution are always critical aspects of any distributed secure system. Although many different and sometimes competing ways of managing keys exist, it is ultimately the available resources and threat environment that dictate the choices. Server General KMSfor MySQL​ is a key management service for organizations that make use of encryption functionality embedded inside their MySQL servers.

The Server General KMS for MySQL​ consists of two components - the Server General KMS Agent​ ​ (SGA) and the Server General Locker (SGL). The SGL is a secure appliance used to store keys. A single SGL can store unlimited number of encryption keys used by a group of MySQL servers. Customers can also use our global key management infrastructure to store their keys in a secure manner.

Server General KMS for​ MySQL uses three-tier encryption key architecture consisting of a master MySQL Key (MMK), a tablespace key (TSK) and a Data Admin Master Key (DMK). Server General KMS for MySQL​ has been designed to protect the encryption keys against internal as well as external threats and no key is ever stored on the disk in plain text.

Securing The Master MySQL Key

Server General KMS for MySQL system constitutes of two separate components - the Server General Agent (SGA) and the Server General Locker (SGL). We will assume that the user is going to use our cloud locker for now. We do provide an on-premises key locker appliance as well.

The user installs the SGA on their MySQL server. During configuration at least two Server General administrators are configured - the Security Officer (SO) and the Data Administrator (DA). The DA acts as the custodian of the MMK and encrypts it with her own key - the DMK. The encrypted value of the MMK is moved into the SGL while our security staff manages it for you on a 24x7x365 basis.

The Server General encryption engine supports various standard encryption algorithms, however, AES-256 in CBC mode is the default encryption algorithm used to encrypt the MMK.

Key Management Features

Key Generation

Keys must be generated in a truly randomly fashion so that they contain sufficient entropy to reduce the risk that new keys are in any way predictable. The higher the entropy of a key, the more unlikely it is that anyone could arrive at the key by trial and error (a brute force attack). To guard against keys simply being guessed by attackers it is necessary to ensure that the field of possible permutations is as wide as possible for any given key length. Therefore, Server General uses the maximum key length possible for a key - 256bits.

Key Distribution

Server General distributes keys during the configuration process. The master encryption keys - SMK for the Security Officer (SO) and DMK’s for Data Administrators (DA) are ‘wrapped’ using unique passphrases (Key Encryption Keys -KEK) that are only known to their respective owners. This way only an authorized administrators are able to re-constitute their encryption keys by providing the correct “KEK’s”. The MySQL Master Key (MMK) is also generated during initial configuration. The MMK is wrapped using the Data Administrator’s master key or the DMK.

Key Storage

Keys must be stored in a location that is inaccessible to untrusted parties. Typically this requires some form of physical protection for the storage media that holds keys, which is isolated from the host computer. Server General provides two storage options - a cloud based key store and a stand-alone private key locker virtual appliance deployed within customer’s own network. All encryption keys are encrypted before they are put any type of storage. The Data Administrator’s master key or the DMK is used to encrypt the MySQL Master key or the MMK.

Key Rotation

The use of the same key over a long period increases the risk of a successful compromise. The key rotation interval depends on the nature of the encrypted data sets and it can be anything from every few hours to every couple of years. We provide on-demand rotation of the MySQL and other encryption keys used by Server General administrators.

Key Revocation

There are times when there is an urgent need to revoke an encryption key. In our security model the Security Officer is able to revoke the Data Administrator’s key with or without his cooperation. The revocation does not require the encrypted data sets to be decrypted first and then to be re-encrypted with the new key.

Key Custodians

Each Server General Administrator generates and controls his/her own master encryption key that is used to encrypt data under their control. There can be maximum of four (4) administrators for a Server General installation thereby limiting the total number of key custodians to 4. This limit can be easily increased by contacting us.