Introduction

To ensure data privacy and minimize data vulnerability, OpenSpecimen provides an option to encrypt the MySQL database "at rest" and "in transit".

At Rest: Ensures the database files are in an encrypted format on the disk.
In Transit: Ensures the data passing through the network to the application is encrypted.

In both techniques, the malicious user won't be able to decrypt data.

Encrypting Data At Rest

In the database, all the patient data is stored in data files. There is a chance that an attacker can retrieve sensitive data if they get direct access to such files. To avoid this, one can encrypt the data files using the keyring plugin provided by MySQL.

The keyring file is the main file that stores key using which the tablespace (where all table data files are stored) is encrypted. The keyring plugin is used for this purpose.

Before encryption: Data is in a human-readable format.

After encryption: Data is encrypted.

Step 1: Enable the keyring plugin

Add below line under the [mysqld] section in my.cnf/my.ini file and restart the MySQL service.

For Linux:

[mysqld]
early-plugin-load=keyring_file.so

The default location of keyring file: /var/lib/mysql-keyring/keyring

For Windows:

[mysqld]
early-plugin-load=keyring_file.dll

The default location of the keyring file: C:/Program Files/MySQL/MySQL Server 5.7/keyring/keyring

Note: If a customer wants to generate the keyring file on any particular location/drive then provide the absolute path in ‘keyring_file_data’ property.

Step 2: Verify if the plugin is enabled or not

The below query should give output as ‘Active’.

SELECT 
  PLUGIN_NAME, PLUGIN_STATUS
FROM 
  INFORMATION_SCHEMA.PLUGINS
WHERE 
  PLUGIN_NAME LIKE 'keyring%';

Once the plugin is activated, encrypt the table data using steps provided in the next section.

Step 3: Encrypt database tables

i) To encrypt a database table we run ALTER TABLE <TABLE_NAME> ENCRYPTION=”Y”

ii) Similarly, we’ll need to encrypt every table in the database. For this, we can generate a master-sql file, which will have the query to alter all the existing DB tables.

iii) Follow the below procedure to create a master-query.

TEE: This command reads the standard input and writes it to the file as well as standard output.

iv) Remove the table structure and the select query captured in the ‘encrypt_tables.sql’ file using the below command.

v) Again login into MySQL database and run the ‘source processed_encryption_table.sql’.

vi) Check if all tables are encrypted are not by noting ENCRYPTION="Y" flag under the CREATE_OPTIONS column.

Encrypting Data In Transit

In this step, we create self-signed SSL certificates for MySQL server to communicate using SSL. The certificate file is shared with the application so that it can store certificates in its TrustStore file and application can trust the MySQL server.

Step 1: Certificate creation

Generates a private key file:

Generates Certificate file:

Both files are used by CA to create a self-signed certificate.

Generates a private key and certificate request file:

After that, process the key to remove the passphrase using the ‘openssl rsa’ command.

Lastly using the certificate request, CA's private key and certificate, generate a self-signed X509 certificate.

The server-cert.pem file is the self-signed certificate.

Step 2: Configure certificate in MySQL

In this step, we configure the SSL certificate files into the MySQL server. This will notify the MySQL about which certificate to use and enable security flags.

Each time when MySQL communicates with the application, the connection is secured using these certificate files.

Step 3: Add the certificate in the Java TrustStore.

A Java TrustStore file holds certificates that authenticate other applications; for example, MySQL server. Using this file, OpenSpecimen will trust MySQL as a legit partner.

The JVM (client), look up the certificates in its TrustStore. If the certificate or Certificate Authorities presented by the MySQL is not in our TrustStore then the application gives an SSLHandshakeException and connection won’t be set up successfully.

Step 4: Enable encryption in Tomcat.

The useSSL=true property is added to the JDBC URL to communicate with the database via SSL. This property can be added to only connect if the database server supports SSL.

How to implement DB encryption for MySQL?