search

OpenKMIP / PyKMIP

A Python implementation of the KMIP specification.
Apache License 2.0
264 stars 131 forks source link

Using pykmip server as a database encrypter. #651

Open hspostalli opened 3 years ago

hspostalli commented 3 years ago

Hi,

I wonder whether pykmip server can be used to encrypt any database ( e.g KMS database).

An i also want to learn what are the reasons you don't recommend the PyKMIP server for production use ? You noticed one of hem is insecure db file. İs there any solution to make the file be secure ?

Sincerely.

PeterHamilton commented 3 years ago

Hi @hspostalli, thanks for filing this issue.

I wonder whether pykmip server can be used to encrypt any database ( e.g KMS database).

It depends on what you're envisioning here. The server is already a form of key management system. Are you referring to a different type of system, or a specific version or product?

An i also want to learn what are the reasons you don't recommend the PyKMIP server for production use ? You noticed one of hem is insecure db file. İs there any solution to make the file be secure ?

There are several reasons why the server shouldn't be used for production use. There are a couple of other past issues on GitHub here that mention this as well. I'm not going to go into much detail but the gist of it is the server isn't currently optimized for large scale use. Its data isn't stored in as secure a manner as production would require, at the individual table field or overall database level. The server does not integrate with third-party/external authentication systems, meaning you cannot hook it into your enterprise LDAP/Kerberos backends and must manage separate PKI credentials to use it.

There are other more granular reasons but the ones I listed suffice.

hspostalli commented 3 years ago

Hi @PeterHamilton ,

Yes, i am referring to a different system. Suppose that i have a sqlite database which supports KMIP. I want to encrypt that db using PyKMIP tools. Is there any possibility for that.

hspostalli commented 3 years ago

Hi @PeterHamilton

Is there any progress ?

PeterHamilton commented 3 years ago

Suppose that i have a sqlite database which supports KMIP. I want to encrypt that db using PyKMIP tools. Is there any possibility for that.

No, this isn't supported. PyKMIP has its own bespoke database schema. It creates a new SQLite database when the server first starts up and uses it until the backing file is destroyed (or the server configuration changes and points to a new backing file). There is no way to take an existing SQLite database (with a non-PyKMIP schema) and run PyKMIP off of it.

If you have keys or other binary data stored in your database, you could export each data item and store it in the PyKMIP server one-by-one using the PyKMIP client. But that's not the same thing.