Database Security
Overview
All users sensitive data stored in Production Database (e.g. passwords) are encrypted with the Encryption Key stored outside of the Database, what guarantees the data cannot be compromised even in a case when the Database is shared.
Database encryption has been implemented in all versions of the Matrix42 platform, but it is strongly recommended to run data re-encryption tool manually for all installations preceding 9.1.2 in order to lower the security risks and improve data protection.
Data re-encryption tool is a PowerShell script available for users with Administrator rights at %ApplicationFolder%/Config/PowerShellScripts/ReEncryptData.ps1
ReEncryptData tool particularities:
- decrypts data with the currently used database encryption key;
- generates the new database encryption key and applies it as a currently used key;
- keeps the previously used encryption key for the backward compatibility;
- re-encrypts values of all database table columns listed in the script, including manually added custom fields, with the new encryption key;
- automatically restarts Martix42 services.
Database encryption is implemented based on the Advanced Encryption Standard, or AES.
Matrix42 installation
Reinforced sensitive data encryption is provided by default starting from the version 9.1.2.
Matrix42 system update
The database encryption mechanism is not upgraded by the regular Matrix42 system update. ReEncryptData tool for reinforced sensitive data encryption should be run manually.
Database encryption upgrade
This section provides a step-by-step walkthrough for the database encryption upgrade with the ReEncryptData tool.
Prerequisites
In order to complete this walkthrough, you will need the following:
- Matrix42 Software Asset & Service Management 9.1.1 or lower;
- Microsoft PowerShell 4.0 or grater installed and configured on the server that hosts Matrix42 Software Asset & Service Management;
- User with administrator rights.
Additionally, you may backup the main database (by default M42Production) and current database encryption key. This step is optional as the previously used encryption key is kept and remains operational. The same is applied for the data, as the changes consider the specific field values re-encryption and not the entire database modification.
Encryption key
The current database encryption key is stored in the key attribute of the configuration file:
%ApplicationFolder%/bin/securityCryptographyConfiguration.config
<?xml version="1.0" encoding="utf-8"?> <securityCryptographyConfiguration> <databaseEncryption key="current_key" /> </securityCryptographyConfiguration>
The Encryption Key is an integral part of the Production database, which means they always come together. If you would like to use the Production database in another environment (Test or Development), you need to movesecurityCryptographyConfiguration.config to this environment.
Running data re-encryption script
Data re-encryption script is run manually as a PowerShell command by the user with Administrator rights:
%ApplicationFolder%/Config/PowerShellScripts/ReEncryptData.ps1
The script requires database access credentials:
Successfully run data re-encryption script:
First run
The first run of the data re-encryption script generates the new database encryption key and stores the previously used one:
%ApplicationFolder%/bin/securityCryptographyConfiguration.json
<?xml version="1.0" encoding="utf-8"?> <securityCryptographyConfiguration> <databaseEncryption key="NewKey" key0="PreviousKey" /> </securityCryptographyConfiguration>
New encryption mechanism is backward compatible and supports the data encrypted with the outdated encryption key.
All values listed in the data re-encryption script are encrypted with the new key and get a "1 " prefix assigned to the encrypted value:
| Password | UserId |
| 1 JDJKZnatxMp1m751 | 123 |
| 1 CfmbmZdhgjwc3csd | 124 |
| 1 sfgAfhmLfgvx4dmpf | 125 |
Data from the fields that were encrypted with the previously used key and were not added to the list of the re-encrypted fields are still operational, as the previous encryption key is kept by default.
The candidate-fields missed during the first run of the script can be included in the PowerShell script manually, and re-encrypted with the new key during the subsequent run of the %ApplicationFolder%/Config/PowerShellScripts/ReEncryptData.ps1
Extending encryption data set
ReEncryptData tool re-encrypts the default system data. This change is applied to the standard attributes of the provided by default Data Definitions and re-encrypts mainly passwords for accessing third-party systems like e-mail server or Active Directory account credentials. The complete list of the re-encrypted data is available in the ReEncryptData tool.
Any custom fields that store encrypted data (passwords, user credentials, or any other sensitive data) that should be re-encrypted must be added to the list of default system data. The changes can be added to the ReEncryptData tool as follows:
%ApplicationFolder%/Config/PowerShellScripts/ReEncryptData.ps1
@{
Name = "DataDefinitionName"
Columns = @("CustomColumnName") # syntax for the single column update
},
@{
Name = "CustomDataDefinitionName"
Columns = @("Column1", "Column2", "Column3") # data re-encryption example for multiple attributes of the same Data Definition
},
Subsequent runs
All subsequent runs can be performed manually and are required if the custom fields were manually added to the standard list of encrypted fields.
Data re-encryption script particularities during the subsequent runs:
- the new encryption key is not generated. The data encryption uses the current key value from the
%ApplicationFolder%/bin/securityCryptographyConfiguration.json; -
re-encrypting all necessary values without the ''1 " prefix with the current encryption key, assigning "1 " prefix accordingly;
-
automatically restarting Martix42 services.