## 深度揭秘Greenplum开源数据库 透明加密 Greenplum 研发工程师 王湯舟 1. 我们所面临的问题 2. 基于pgcrypto的数据加密方案 3. GPDB数据透明加密方案设计 4. GPDB数据透明加解密流程 5. 总结 ## 我们所面临的问题 ## 什么是Greenplum数据库 GPDB 一款开源的HTAP数据库： • MPP架构 完整的事务+ACID+标准SQL支持 GPDB的数据安全 用户的问题 数据需要加密 • 机密数据 • 知识产权保护 • 审计要求 用户数据存在直接暴露的风险 • 非部门员工运维（原厂，主机厂或者合作伙伴） • 事后审计难度很大 • 服务器数据被盗（托管或云部署） ## 现有解决方案 基于操作的系统的硬盘加密 • 只能防范服务器硬盘被盗 • 对运维安全无能为力 基于pgcrypto的加密 • 可以满足数据安全要求 • • 非原生方案 • 问题很多 ## 基于pgcrypto的数据加密方案 ## pgcrypto Postgresql社区提供的一款简单加密插件 https://www.postgresql.org/docs/13/pgcrypto.html https://github.com/greenplum-db/gpdb/tree/master/contrib/pgcrypto 现有解决方案 数据加载

Encryption Options ..... 509 18.9. Secure TCP/IP Connections with SSL ..... 510 18.9.1. Using Client Certificates ..... 511 18.9.2. SSL Server File Usage ..... 512 18.9.3. Creating Certificates ... Connection Service File ..... 787 32.17. LDAP Lookup of Connection Parameters ..... 788 32.18. SSL Support ..... 789 32.18.1. Client Verification of Server Certificates ..... 789 32.18.2. Client . 790 32.18.3. Protection Provided in Different Modes ..... 790 32.18.4. SSL Client File Usage ..... 792 32.18.5. SSL Library Initialization ..... 792 32.19. Behavior in Threaded Programs ....

prétend être • Pour un site web, ces services sont fournis par https - HTTPS : HTTP sécurisé par SSL/TLS, par défaut sur le port 443 ## Secure Socket Layer $ \rightarrow $ Transport Layer Security Conçu par Netscape (v2.0 en 1994, v3.0 en 1996) • Brevet racheté par l'IETF : TLS v1.0 en 1999 (SSL 3.1), v1.3 en 2018 • Couche Application : – Entre les couches transport et application – Pas besoin certificat et la clé privée du serveur • Configurer httpd. Pour Apache : – virtual host (port 443), ssl.conf, (ports.conf) • Création de l'arborescence sécurisée • Démarrage serveur • OU BIEN utiliser

means that core clients will now expect the CN or Subject Alternative Name values of the broker's SSL certificate to match the hostname in the client's URL. This impacts all core-based clients including behavior with industry standards. To deal with this you can do one of the following: Update your SSL certificates to use a hostname which matches the hostname in the client's URL. This is the recommended "HTTP over TLS". 2. Due to ARTEMIS-3117 SSL keystore and truststores are no longer reloaded automatically. Previously an instance of javax.net.ssl.SSLContext was created for every connection. This

port as well as extra keyword arguments are passed to create_server(). For example, you can set the ssl keyword argument to a SSLContext to enable TLS. ws_handler is the WebSocket handler. It must be a create_connection() method. Extra keyword arguments are passed to create_connection(). For example, you can set the ssl keyword argument to a SSLContext to enforce some TLS settings. When connecting to a wss:// URI, if

if a client wanted to connect to a remote server using TCP and SSL it would create a connection factory like so, tcp://remote-host:5445?ssl-enabled=true. All the properties available for the tcp scheme embedded JMS using Apache ActiveMQ Artemis's Spring integration. ## SSL Transport The ssl-enabled shows you how to configure SSL with Apache ActiveMQ Artemis to send and receive message. ## Static Message Our Netty transport can be configured in several different ways; to use straightforward TCP sockets, SSL, or to tunnel over HTTP or HTTPS.. We believe this caters for the vast majority of transport requirements

the application server and the internet. • Load-balancer • Failover • Protocol termination - TLS/SSL - HTTP/2 and (soon) HTTP/3 • Understands a protocol and possible upgrades. ## Why a proxy? • Control Dynamic configuration (mod_balancer/mod_cluster...) • Protocol translations AJP - When - Easy TLS/SSL forwarding - Limitations - No upgrade - Header size - No encryption - Limited “authentication” “authentication” (secret) - mod_proxy_ajp and mod_jk ### HTTP and HTTPS 1.1 • When: - No SSL forwarding - Using SSLValve • HTTP/HTTPS: - HTTPS might be needed (Encryption/Authentication) - HTTPS

Setting up SSL for Zabbix frontend On RHEL/Centos, install mod ssl package: yum install mod_ssl Create directory for SSL keys: mkdir -p /etc/httpd/ssl/private chmod 700 /etc/httpd/ssl/private Create Create SSL certificate: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/private/apache-selfsigned.key Fill out the prompts appropriately. The most important line is the one that Address []: Edit Apache SSL configuration: /etc/httpd/conf.d/ssl.conf DocumentRoot "/usr/share/zabbix" ServerName example.com:443 SSLCertificateFile /etc/httpd/ssl/apache-selfsigned.crt S

3.10 Using authentication modes 19 3.11 Securing your phpMyAdmin installation 26 3.12 Using SSL for connection to database server 27 3.13 Known issues 27 4 Configuration 29 4.1 Basic settings ### 3.12 Using SSL for connection to database server It is recommended to use SSL when connecting to remote database server. There are several configuration options involved in the SSL setup: $cfg[& $cfg['Servers'][$i]['ssl'] Defines whether to use SSL at all. If you enable only this, the connection will be encrypted, but there is not authentication of the connection - you can not verify

Fail”的弊病显现，也因此引发了一系列的技术变革与商业变革，启动了一轮从“集中式”走向“分布式”的时代浪潮。 在此背景下，区块链技术在2008年萌芽成型，并逐渐发展成熟。通过区块链技术解决方案中的共识机制、分布式账本、加密算法、智能合约、点对点通信、分布式计算架构、分布式存储、隐私保护算法、跨链协议等技术模块，可以让商业模式中的参与各方实现了地位对等和互信合作，从而推动了从“信息互联网”到“信任互联网”的时代进步，也令商业模式全面走向“分布式”成为可能。 平台通过节点准入控制、可靠的密钥管理、灵活的权限控制，在应用、存储、网络、主机层实现全面的安全保障。在隐私保护的设计上，支持权限管理、物理隔离，支持国密算法（国家密码局认证的标准算法），同时也对外开源了包括同态加密、零知识证明、群签名、环签名等多种隐私保护算法的实现方案。 - 在可用性方面，FISCO BCOS设计为7×24小时运行，达到金融级高可用性。在监管支持方面，可支持监管和审计机构作为观察节点加入， 更多关于虚拟机的介绍，请参考虚拟机设计文档 ## 密钥管理服务 2.0版本对落盘加密进行了重塑升级，开启落盘加密功能时，依赖KeyManager服务进行密钥管理，安全性更强。 KeyManager在Github开源发布，节点与KeyManager的交互协议是开放的，支持机构设计实现符合自身密钥管理规范的KeyManager服务，比如采用硬件加密机技术。该部分更详细的文档请参考使用文档和设计文档 ## 准入控制