To ensure data privacy and minimize data vulnerability, OpenSpecimen provides an option to encrypt the MySQL database "at rest" and "in transit".
At Rest: Ensures the database files are in an encrypted format on the disk.
In Transit: Ensures the data passing through the network to the application is encrypted.
In both techniques, the malicious user won't be able to decrypt data.
Encrypting Data At Rest
In the database, all the patient data is stored in data files. There is a chance that an attacker can retrieve sensitive data if they get direct access to such files. To avoid this, one can encrypt the data files using the keyring plugin provided by MySQL.
The keyring file is the main file that stores key using which the tablespace (where all table data files are stored) is encrypted. The keyring plugin is used for this purpose.
Before encryption: Data is in a human-readable format.
After encryption: Data is encrypted.
Step 1: Enable the keyring plugin
Add below line under the [mysqld] section in my.cnf/my.ini file and restart the MySQL service.
The default location of keyring file: /var/lib/mysql-keyring/keyring
The default location of the keyring file: C:/Program Files/MySQL/MySQL Server 5.7/keyring/keyring
Note: If a customer wants to generate the keyring file on any particular location/drive then provide the absolute path in ‘keyring_file_data’ property.
Step 2: Verify if the plugin is enabled or not
The below query should give output as ‘Active’.
PLUGIN_NAME LIKE 'keyring%';
Once the plugin is activated, encrypt the table data using steps provided in the next section.
Step 3: Encrypt database tables
i) To encrypt a database table we run ALTER TABLE <TABLE_NAME> ENCRYPTION=”Y”
ii) Similarly, we’ll need to encrypt every table in the database. For this, we can generate a master-sql file, which will have the query to alter all the existing DB tables.
iii) Follow the below procedure to create a master-query.
mysql> USE <database_name>;
mysql> TEE encrypt_tables.sql;
mysql> SELECT CONCAT("ALTER TABLE `", TABLE_NAME,"` ENCRYPTION=\"Y\" ;")
TEE: This command reads the standard input and writes it to the file as well as standard output.
iv) Remove the table structure and the select query captured in the ‘encrypt_tables.sql’ file using the below command.
grep -i "ALTER" encrypt_tables.sql | sed '1d' | sed 's/|//g' > processed_encryption_tables.sql
v) Again login into MySQL database and run the ‘source processed_encryption_table.sql’.
mysql> USE <database_name>;
mysql> SOURCE processed_encryption_table.sql
vi) Check if all tables are encrypted are not by noting ENCRYPTION="Y" flag under the CREATE_OPTIONS column.
TABLE_SCHEMA, TABLE_NAME, CREATE_OPTIONS
CREATE_OPTIONS LIKE '%ENCRYPTION%';
Encrypting Data In Transit
In this step, we create self-signed SSL certificates for MySQL server to communicate using SSL. The certificate file is shared with the application so that it can store certificates in its TrustStore file and application can trust the MySQL server.
To specify clients are required to use encrypted connections, the ‘require_secure_transport’ system variable is enabled.
If the certificate files are not present in the MySQL data directory then specify the absolute (full) path of files.
Step 3: Add the certificate in the Java TrustStore.
A Java TrustStore file holds certificates that authenticate other applications; for example, MySQL server. Using this file, OpenSpecimen will trust MySQL as a legit partner.
The JVM (client), look up the certificates in its TrustStore. If the certificate or Certificate Authorities presented by the MySQL is not in our TrustStore then the application gives an SSLHandshakeException and connection won’t be set up successfully.
Create certs directory in $Tomcat/bin and copy the CA certificates file.
The below line adds the certificate file in JVM’s trust store file.