Showing entries 1 to 10 of 34
10 Older Entries »
Displaying posts with tag: encryption (reset)
MySQL encrypted streaming backups directly into AWS S3

Overview

Cloud storage is becoming more and more popular for offsite storage and DR solutions for many businesses. This post will help with those people that want to perform this process for MySQL backups directly into Amazon S3 Storage. These steps can probably also be adapted for other processes that may not be MySQL oriented.

Steps

In order to perform this task we need to be able to stream the data, encrypt it, and then upload it to S3. There are a number of ways to do each step and I will try and dive into multiple examples so that way you can mix and match the solution to your desired results.  The AWS S3 CLI tools that I will be using to do the upload also allows encryption but to try and get these steps open for customization, I am going to do the encryption in the stream.

  1. Stream MySQL backup
  2. Encrypt the stream
  3. Upload the stream to AWS S3

Step 1 : …

[Read more]
Restricting Connections to Secure Transport

MySQL 5.7 makes secure connections easier with streamlined key generation for both MySQL Community and MySQL Enterprise, improves security by expanding support for TLSv1.1 and TLSv1.2, and helps administrators assess whether clients are connecting securely or not with new visibility into connection types. …

Simplified SSL/TLS Setup for MySQL Community

Transport Layer Security (TLS, also often referred to as SSL) is an important component of a secure MySQL deployment, but the complexities of properly generating the necessary key material and configuring the server dissuaded many users from completing this task.  MySQL Server 5.7 simplifies this task for both Enterprise and Community users. …

Secure Java Connections by Default

MySQL Connector/Java 5.1.38 was released earlier this week, and it includes a notable improvement related to secure connections.  Here’s how the change log describes it:

When connecting to a MySQL server 5.7 instance that supports TLS, Connector/J now prefers a TLS over a plain TCP connection.

This mirrors changes made in 5.7 to the behavior of MySQL command-line clients and libmysql client library.  Coupled with the streamlined/automatic generation of TLS key material to ensure TLS availability in MySQL Server 5.7 deployments, this is an important step towards providing secure communication in default deployments.

[Read more]
SSL/TLS Improvements in MySQL 5.7.10

Secure communications is a core component of a robust security policy, and MySQL Server 5.7.10 – the first maintenance release of MySQL Server 5.7 – introduces needed improvements in this area.  Support for TLS has been expanded from TLSv1.0 to include TLSv1.1 and TLSv1.2, default ciphers have been updated, and controls have been implemented allowing both server and client-side configuration of acceptable TLS protocol versions.  This blog post will describe the changes, the context in which these changes were made, note important differences in capabilities between Community and Enterprise versions, and outline future plans.

Context

SSL (Secure Sockets Layer)  was superseded by TLS ( …

[Read more]
MariaDB 10.1 is stable GA

With the release of 10.1.8, MariaDB takes a next step. MariaDB 10.1 is now considered a stable release.

MariaDB 10.1 has a couple of main themes:

  • Security
  • High Availability
  • Scalability

During the last few years there have been many request for more security features in MariaDB. Actually it’s a trend in general. Since open source software is getting more attractive all the time, more functionality is wanted in areas where proprietary software typically has been leading. This is especially true for databases. In addition data privacy is a very hot topic.

The big new thing in security for MariaDB 10.1 is a complete data at rest encryption solution. The encryption that now is in use originates from Google’s encryption patch. It has now been migrated into MariaDB 10.1. The …

[Read more]
TwinDB Really Loves Backups

A week or two ago one of my former colleagues (at Percona) Jevin Real gave a talk titled Evolving Backups Strategy, Deploying pyxbackup at Percona Live 2015 in Amsterdam. I think Jervin raised some very good points about where MySQL backup solutions in general fall short. There are definitely a lot of tools and scripts out there that claim to do MySQL backups correctly, but don’t actually do it correctly. What I am more interested though is in measuring TwinDB against the points that Jervin highlighted to see if TwinDB falls short too.

Dependencies

We distribute TwinDB agent as a package that can be installed using the standard OS package management system. For example, using YUM on CentOS, RHEL and Amazon Linux, or using APT …

[Read more]
Encrypting MySQL Backups

Encryption is important component of secure environments. While being intangible property security doesn’t get enough attention when it comes to describing various systems. “Encryption support” is often the most of details what you can get asking how secure the system is. Other important details are often omitted, but the devil in details as we know. In this post I will describe how we secure backup copies in TwinDB.

See the picture. This is what happens when encryption is used incorrectly. The encryption algorithm can be perfect, but poor choice of the mode results in a quite readable encrypted image. This mode is called “Electronic Code Book”, avoid it at all means.

Another bright example of improper encryption use was illustrated in Venona project.

[Read more]
SSL/TLS in 5.6 and 5.5 – oCERT Advisory

Today, oCERT published advisory 2015-003 describing a TLS vulnerability in MySQL and derivative products.  The content isn’t exactly news – it is documented legacy behavior and the subject of an earlier blog post describing how MySQL Server 5.7 solves the problem.  That said, the efforts of Duo Security are certainly appreciated and welcomed – it provides a meaningful context to discuss how to properly harden existing MySQL 5.5 and 5.6 deployments, as well as frame a discussion on potential changes in these versions to increase security.

Vulnerability

The vulnerability described in the advisory relies on the legacy behavior of the client …

[Read more]
Implications of TLS plans for third-party products

As I wrote earlier, we want the default experience in MySQL 5.7 to be secure by default.  Part of this includes securing connections by automatically creating key material and using TLS for connections where possible.  This may have some significant implications for third-party software – especially products which depend upon capturing, evaluating and/or redirecting client/server traffic at the network level.  This blog post is intended to highlight for developers and users of such products potential issues they may want to consider or address during the pre-GA period for MySQL Server 5.7.

What types of products are dependent upon access to unencrypted protocol data?  Most immediately apparent are proxy-based and network capture-based products.  Proxy-based products typically rely on the same characteristics which can …

[Read more]
Showing entries 1 to 10 of 34
10 Older Entries »