search

cossacklabs / acra

Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side ("transparent") encryption. SQL, NoSQL.
https://www.cossacklabs.com/acra/
Apache License 2.0
1.32k stars 128 forks source link

[ISSUE] Encryption Not working #692

Closed devendermishra closed 7 months ago

devendermishra commented 7 months ago

Describe the Issue I am using mysql. I have acra_test_db with following sample table

CREATE TABLE cphone(id INTEGER AUTO_INCREMENT PRIMARY KEY, phone varchar(12), e_phone varbinary(20));

My encryptor config is as follows:

 database_settings:
      mysql:
          case_sensitive_table_identifiers: true

 defaults:
     crypto_envelope: acrablock

 schemas:
    - table: cphone
      columns:
         - id
        - phone
        - e_phone
      encrypted:
        - column: "e_phone"

I am running docker command as follows:

docker run --mount type=bind,source="$(pwd)/keystore",target=/keystore \
--mount type=bind,source="$(pwd)/ssl",target=/ssl \
--mount type=bind,source="$(pwd)/encryptor_config.yml",target=/encryptor_config.yml \
--rm --network host -p 9393:9393 -p 9090:9090 -e ACRA_SERVER_MASTER_KEY=${ACRA_SERVER_MASTER_KEY} \
-e ACRA_CONNECTOR_MASTER_KEY=${ACRA_CONNECTOR_MASTER_KEY} \
-e ACRA_CLIENT_ID=${ACRA_CLIENT_ID} \
-e MYSQL_DATABASE=${MYSQL_DATABASE} \
-e MYSQL_USER=${MYSQL_USER} \
-e MYSQL_PASSWORD=${MYSQL_PASSWORD} \
-e ACRA_HTTPAUTH_USER=${ACRA_HTTPAUTH_USER} \
-e ACRA_HTTPAUTH_PASSWORD=${ACRA_HTTPAUTH_PASSWORD} \
-e ACRA_MASTER_KEY=${ACRA_MASTER_KEY} \
cossacklabs/acra-server:stable \
-client_id ${ACRA_CLIENT_ID} -db_host 127.0.0.1 -db_port 3306 -mysql_enable --v -keys_dir /keystore/newkey1 -encryptor_config_file /encryptor_config.yml --tls_client_id_from_cert=false --tls_auth=0 --tls_client_auth=0 --tls_database_auth=0 --tls_cert=/ssl/acra-server.crt --tls_key=/ssl/acra-server.key

On connecting to the server, when I insert any record, it is not getting encrypted.

 mysql -u user -p acra_test_db --port 9393 --host 127.0.0.1 --ssl-mode=DISABLED

 > insert into cphone (phone, e_phone) values ('sample', 'sample');

Acra configuration files For AcraServer:

Environment (please complete the following information):

Additional context Add any other context about the problem here.

devendermishra commented 7 months ago

Log:

WARNING: Published ports are discarded when using host network mode
time="2023-11-30T10:41:34Z" level=info msg="Starting service acra-server [pid=1]" version=0.95.0
time="2023-11-30T10:41:34Z" level=info msg="Validating service configuration..."
time="2023-11-30T10:41:34Z" level=info msg="Load encryptor configuration from /encryptor_config.yml ..."
time="2023-11-30T10:41:34Z" level=info msg="Encryptor configuration loaded"
time="2023-11-30T10:41:34Z" level=info msg="Initialising keystore..."
time="2023-11-30T10:41:34Z" level=info msg="Initializing default env ACRA_MASTER_KEY loader"
time="2023-11-30T10:41:34Z" level=info msg="Cached keystore on start successfully"
time="2023-11-30T10:41:34Z" level=info msg="Keystore init OK" path=/keystore/newkey1
time="2023-11-30T10:41:34Z" level=info msg="Configuring transport..."
time="2023-11-30T10:41:34Z" level=info msg="Use sni" sni=""
time="2023-11-30T10:41:34Z" level=info msg="Use sni" sni=127.0.0.1
time="2023-11-30T10:41:34Z" level=info msg="Loaded TLS configuration" tls_client_id_from_cert=false
time="2023-11-30T10:41:34Z" level=info msg="Initialize in-memory db storage for tokens"
time="2023-11-30T10:41:34Z" level=info msg="Initialized in-memory db storage for tokens"
time="2023-11-30T10:41:34Z" level=info msg="Initialized SQL query parser in default mode"
time="2023-11-30T10:41:34Z" level=info msg="Start listening to connections. Current PID: 1"
time="2023-11-30T10:41:34Z" level=info msg="Enabling VERBOSE log level"
time="2023-11-30T10:41:34Z" level=info msg="Create listener" connection_string="tcp://0.0.0.0:9393/" from_descriptor=false
time="2023-11-30T10:41:34Z" level=info msg="Start listening connections" connection_string="tcp://0.0.0.0:9393/" from_descriptor=false

time="2023-11-30T10:41:45Z" level=info msg="Got new connection to AcraServer: 127.0.0.1:46308" connection_string="tcp://0.0.0.0:9393/" from_descriptor=false
time="2023-11-30T10:41:45Z" level=info msg="Handle client's connection" client_id=MyClientID session_id=1
time="2023-11-30T10:41:45Z" level=warning msg="ignoring error of non parsed sql statement"
time="2023-11-30T10:41:45Z" level=warning msg="ignoring error of non parsed sql statement"
time="2023-11-30T10:41:45Z" level=warning msg="ignoring error of non parsed sql statement"
Lagovas commented 7 months ago

Hello.

  1. You have indentation issues in your encryptor config. Extra space in row - id
  2. You use varbinary(20) that couldn't be used for AcraBlock that has overhead 138 bytes over plaintext. Use BLOB instead of varbinary(20) according to our docs
devendermishra commented 7 months ago

@Lagovas Thanks for quick response.

Updated config is

database_settings:
  mysql:
    case_sensitive_table_identifiers: true

defaults:
  crypto_envelope: acrablock

schemas:
- table: cphone
  columns:
    - id
    - phone
    - e_phone
  encrypted:
  - column: "e_phone"
    data_type: "str"

I have changed type to BLOB. Still facing the same problem.

devendermishra commented 7 months ago

@Lagovas It seems that it is not working with MySQL 8.