Step-by-step guide to data protection with Baffle and IBM Cloud Hyper Protect DBaaS for PostgreSQL

0

Introduction:

IBM Cloud and Baffle Data Protection Services (DPS) for IBM Cloud allows to provision Baffle Manager and Baffle Shield and configure encryption/decryption rules against IBM Cloud databases such as Hyper Protect DBaaS for PostgreSQL to encrypt and decrypt database records/columns on the fly and also migrate existing database records, apply record/column level encryption rules. IBM Cloud Baffle Services helps decouple encryption/decryption/masking of database records from the database engine, providing an additional layer of security on an already protected and fully encrypted database such as IBM Cloud Hyper Protect DBaaS for PostgreSQL.

Reference architecture:

The reference architecture below shows how the Baffle Shield can be deployed to encrypt data in real time from a web application as well as migrate data from on-premises DB2 to HP DBaaS on the IBM Cloud.

The instructions below list the steps for provisioning IBM Cloud Baffle Data Protection Service against IBM Cloud Hyper Protect DBaaS for PostgreSQL.

Limits:

Currently, only a local keystore made available by Baffle Manager can be used for encryption, but the ability to use the IBM Cloud Key Store feature for encryption is being added by the vendor and will be available soon.

Even though Baffle Manager and Baffle Shield can be run on both Kubernetes and RedHat Open Shift, currently Baffle Manager and Shield are only certified for Kubernetes.

Preconditions:

  1. Provision a VPC in any region with 3 subnets with a public gateway attached to the subnets.
  2. Provision an IAM public key for your account.
  3. Provision a Kubernetes cluster in a VPC network with public and private endpoints enabled in the region of your choice using IBM Cloud Kubernetes Service with a minimum of 4 CPU / 16 GB with two nodes and provisioning autoscale enabled.
  4. Provision IBM Hyper Protect DBaaS for PostgreSQL.
  5. Baffle Shield and Baffle Manager images available in IBM Cloud Container Registry.
  6. Install IBM Cloud with CR and the VPC plugin for Terminal access to resources in IBM Cloud.
  7. Install Kubectl for terminal access to the Kubernetes cluster.
  8. Install PGAdmin (for PostgreSQL) or the DBeaver Database client tool to connect and query databases.

Step by step:

1) Create Baffle Manager using IBM Cloud Data Protection Service

Create Baffle Manager as shown in the screenshot below.

Fill deployment parameters

iaas_classic_api_key Use IBM API key
iaas_classic_username Use your IBM Cloud login email address
ibmcloud_api_key Use IBM API key
image_location IBM CR location where Baffle images are present
cluster_name Kubernetes cluster name
flavor Leave it as default
Region specify the region of the Kubernetes cluster
resource_group Name of your resource group
vpc_name The name of your VPC where you are deploying Baffle
worker_count Number of Baffle Worker Nodes
cabinet_version Specify deflector release version

Check the End User Agreement box, then click Install.

The Baffle Manager application will be deployed to the Kubernetes cluster as shown below.

Use the Baffle-Nginx load balancer URL from the screenshot above (https://c1acb126-us-east.lb.appdomain.cloud/) in Chrome (if you have the security plugin ) or Firefox. Follow the setup prompts.

Step 1. Configure system settings. Enter a host name, domain name, and organization name. All system users should have this domain name as part of this email in the future. Then click CONTINUE.

Step 2. Configure Email SettingsClick on To jumpunless you want to configure an SMTP server, then click CONTINUE.

Step 3. Create an administrator account. This account is used to configure the following components such as the key management store, data store connections, and Baffle Shields.

Write down the email address and password as you fill in the fields, then click CONTINUE.

Step 4. Configure the credential keystore establishes an encrypted credential store for any system access credentials or access keys used by Baffle Manager or Baffle Shield. The default name is “baffle_credential_store” and cannot be changed.

To select LOCAL for the Keystore type. Enter the Secret Deflector Key in the text field. REMARK: Deflector secret key must contain at least 10 characters, a mix of upper and lower case, including at least 1 number. You can enter anything for the secret key and password, then click CONTINUE.

Step 5. Install the SSL certificate. This step allows you to install an SSL certificate to secure access to the Baffle Manager web interface

you can click To jump.

The Cabinet Manager login screen appears and is ready to use. Enter the Baffle admin user and password created in the previous steps to login.

Once connected, add a new local keystore. REMARK: See the Baffle documentation to configure IBM Key Protect and add it as a keystore.

Add the HP DBaaS PostgreSQL you created as a prerequisite (and upload a cert.pem from the database)

Connect to Hyper Protect DBaaS with DBeaver, create a table, and create test data.

Use the queries below to create an example table:

CREATE TABLE public.accounts (

        user_id serial PRIMARY KEY,

        username VARCHAR ( 50 ) UNIQUE NOT NULL,

        password VARCHAR ( 50 ) NOT NULL,

        Account_number VARCHAR ( 50 ) NOT NULL,

        first_name VARCHAR ( 50 ) NOT NULL,

        last_name VARCHAR ( 50 ) NOT NULL,

        address VARCHAR ( 50 ) ,

        ssn NUMERIC ( 9 ) NOT NULL,

        dob VARCHAR ( 10 ) NOT NULL,

        email VARCHAR ( 255 ) UNIQUE NOT NULL,

        created_on TIMESTAMP NOT NULL,

        last_login TIMESTAMP 

);

Insert sample data into the accounts table.

INSERT INTO public.accounts

(username , password , Account_number, first_name , last_name, address , ssn , dob ,email , created_on , last_login)

VALUES

( ‘user’ ,  'xysxy' , '1890489' ,  'Michael' ,  'Dara' ,  'PA' ,  '123456789',  '06-02-2000', '[email protected]',  TIMESTAMP '2021-09-13 15:36:38', TIMESTAMP '2021-09-13 15:36:38');

INSERT INTO public.accounts

(username , password , Account_number, first_name , last_name, address , ssn , dob ,email , created_on , last_login)

VALUES

( 'admin' ,  ‘iufhg’ , '6574647' ,  ‘admin’ ,  ‘user’ ,  'PA' ,  '746393648',  '07-02-2000', ‘[email protected]',  TIMESTAMP '2021-09-13 15:36:38', TIMESTAMP '2021-09-13 15:36:38');

INSERT INTO public.accounts

(username , password , Account_number, first_name , last_name, address , ssn , dob ,email , created_on , last_login)

VALUES

( ‘ba’ffle ,  ‘hdfg’ , '647649' ,  ‘ba’ffle ,  ‘user’ ,  'PA' ,  '765498764',  '08-02-2000', ‘[email protected]',  TIMESTAMP '2021-09-13 15:36:38', TIMESTAMP '2021-09-13 15:36:38');

Return to the Baffle Manager console and create/register a new application.

Click Register Application.

Note the Shield Sync ID that will be used to create Baffle Shield.

2) Create the IBM Cloud Baffle Shield service.

Fill in the deployment values. Check the provider agreement box, click Install.

iaas_classic_api_key Use IBM API key
iaas_classic_username Use your IBM Cloud login email address
ibmcloud_api_key Use IBM API key
image_location IBM CR location where Baffle images are present
cluster_name Kubernetes cluster name
BM_LB_URL Deflector manager load balancer URL.
shield_sync_id Cabinet Manager shield sync id
cabinet_version Specify deflector release version

Once deployed, you will see the Baffle Shield Pod operational.

Now go back to the Baffle Manager console, click on the registered application. You will see the Cabinet Shield registered with the Cabinet Manager.

Upload the keys to the deflector shield

  1. To download Baffle Shield’s public and private keys from the URLs below

https://public-baffle.s3.us-west-2.amazonaws.com/releases/jks/baffleshield-keystore-ibm-hp-dbaas-pg.jks

https://public-baffle.s3.us-west-2.amazonaws.com/releases/jks/baffleshield-ibm-hp-dbaas-pg-ca.pem

  1. Rename baffleshield-keystore-ibm-hp-dbaas-pg.jks to baffleshield-keystore.jks
  1. To download baffleshield-keystore.jks to the Baffle Shield deployed on the Kubernetes cluster.
 ibmcloud ks cluster config --cluster mdara-hp-dbaas-postgres-cluster

 kubectl cp baffleshield-keystore.jks baffle-shield-app1-6c948cc55c-hkv9k:/opt/sslconfig/baffleshield-keystore.jks


  1. Restart the Baffle Shield module
kubectl rollout restart -n default deployment baffle-shield-app1

Encryption/decryption test with Baffle Shield

Click Migration Details -> Encrypt and select the columns you want to encrypt, then click Save.

Select the Deploy and Migrate radio button, then click Save. This will migrate all existing data into HP DBaaS for PostgreSQL and apply encryption rules for the selected field.

To verify the migrated data, go to DBeaver, query the data. You will see that the selected fields are encrypted and not plain text.

Application of the migration policy for new records to be inserted into the database

To apply the migration policy for new records on the fly and encrypt before writing to the database, point the DBeaver application or database to the Baffle Shield load balancer URL and issue database insert commands.

Click the SSL tab and select the downloaded Baffle Shield private key file baffleshield-ibm-hp-dbaas-pg-ca.pem

Insert a new command through the Baffle Shield load balancer

Now run a query on HP DBaaS for PostgreSQL and you will see the newly inserted record as encrypted.

Decrypting database records

Querying the data through the Baffle Shield load balancer will return the decrypted data.

Migration of all database records for decryption.

Encrypted database records can be migrated back to their original state by decryption.

From the Baffle Manager console, select the registered application -> Migration details -> Decryption

Click Next and click the Decrypt button

To check the results go to DBeaver, run a query on HP DBaaS for PostgreSQL, you will see all records in decrypted state.

***

The post Step-by-Step Guide to Data Protection with Baffle and IBM Cloud Hyper Protect DBaaS for PostgreSQL appeared first on Baffle.

*** This is a syndicated blog from Baffle’s Security Bloggers Network written by Ameesh Divatia, CEO and Co-Founder. Read the original post at: https://baffle.io/blog/step-by-step-guide-for-data-protection-with-baffle-and-ibm-cloud-hyper-protect-dbaas-for- postgresql/

Share.

About Author

Comments are closed.