Security features

2023-11-30 09:35:25  Updated

By default, OBLOADER & OBDUMPER can run after you explicitly specify sensitive information such as the password on the command line. To enhance information security, OBLOADER & OBDUMPER V4.2.0 and later provides methods to encrypt and decrypt sensitive information on command lines.

Use secure-gen to encrypt information

  1. Install OpenSSL and configure environment variables.

    Note

    To use secure-gen to encrypt information, you must install the OpenSSL toolkit. For more information, see the "View the help information of secure-gen" section in this topic.

  2. Verify that OpenSSL is installed.

    $ which openssl

/usr/bin/openssl

  3. Encrypt sensitive files in the local path.

    $ ./secure-gen -n <file_path>

    Note

    Sensitive information files must meet the specifications described in Property File Format. You can also edit the sensitive information to be encrypted in the CLI. Example:

    1. Run the following command in the {ob-loader-dumper}/tools/ directory.

      $ ./secure-gen -i

    2. Edit the parameters to be encrypted in the CLI and then enter :wq to save and exit.

      # Input the sensitive fields below in plain-text respectively.
# Note you can leave any of them as blank, ob-loader-dumper will parse from cli args first, and override any field if there is a conflict.
#   
# Database password.
oceanbase.jdbc.password=******
# Database password for sys tenant.
oceanbase.jdbc.sys.password=******
# Access key for cloud storages like OSS & S3.
cloud.storage.access.key=******
# Secret key for cloud storages like OSS & S3.
cloud.storage.secret.key=******

:wq

      The following table lists the sensitive parameters that can be encrypted by OBLOADER & OBDUMPER.

      Parameter Description
      oceanbase.jdbc.password Optional. The password of a business tenant of OceanBase Database.
      oceanbase.jdbc.sys.password Optional. The password of the sys tenant in OceanBase Database.
      cloud.storage.access.key Optional. The AccessKey ID used to access a cloud storage service such as Amazon Simple Storage Service (S3) or Alibaba Cloud Object Storage Service (OSS).
      cloud.storage.secret.key Optional. The AccessKey secret used to access a cloud storage service such as Amazon S3 or Alibaba Cloud OSS.

  4. You can choose whether to use an existing key as prompted.

    $ ./secure-gen
Detected that a key already exists, do you want to use it?
If not, a new key will be generated and overwrite the existing key (y/n):

    1. Enter n to regenerate a key pair by using OpenSSL. By default, the key pair is stored in the <Root directory of the user>/.loaddump/secure/ directory. By default, the public key file is key.pem.pub, and the private key file is key.pem.

      Detected that a key already exists, do you want to use it?
If not, a new key will be generated and overwrite the existing key (y/n): n
Generating RSA private key, 4096 bit long modulus
............++
.......................................................++
e is 65537 (0x10001)
Writing RSA key

The key pair has been generated under the directory /Users/chang/.loaddump, please keep it safe.
The encrypted file /Users/chang/.loaddump/secure/secure.rsa has been generated for sensitive information.

If you want to use it, please fill in the corresponding content in conf/decrypt.properties properly.

    2. Enter y to use an existing key pair. OBLOADER & OBDUMPER load the key pair from the /.loaddump/secure/ directory and generate an encrypted file, such as secure.rsa.

      Detected that a key already exists, do you want to use it? If not, a new key will be generated and overwrite the existing key (y/n): y
The encrypted file /Users/chang/.loaddump/secure/secure.rsa has been generated for sensitive information.

If you want to use it, please fill in the corresponding content in conf/decrypt.properties properly.

  5. Verify whether the key pair and encrypted file are generated.

    $ ls ~/.loaddump/secure/
key.pem     key.pem.pub    secure.rsa

  6. Enter the encrypted information in decrypt.properties in the {ob-loader-dumper}/conf/decrypt.properties directory.

    # Absolute path of your secure file, whose name is secure.rsa by default.
# secure.filePath=

# Absolute path of your private key. whose name is key.pem by default.
# privateKey.filePath=

# Decrypt class name. Fill in this field only if you need a custom mechanism of decryption.
# decrypt.className=

View the help information of secure-gen

secure-gen is an executable Shell script. It can encrypt sensitive information fields by using the RSA algorithm. When you run OBLOADER or OBDUMPER, it will parse decrypt.properties in the {ob-loader-dumper}/conf directory to securely obtain sensitive information.

secure-gen is located in the {ob-loader-dumper}/tools/ directory. You can run ./secure-gen -h or directly enter ./secure-gen to view the help information of secure-gen.

$ ./secure-gen -h

Usage: ./secure-gen [-n <file>][-i][-h]
Description:
-n: Specify a to-be-encrypted file of sensitive contents in plain-text, use -i to check out the format.
-i: Input sensitive contents in interactive mode.
-h: Display this message.

Customize an encryption/decryption mechanism

If OpenSSL is not installed, you can perform the following steps to customize an encryption/decryption mechanism.

  1. Create a plaintext file for encryption.

    The file to be encrypted must meet the specifications described in "Properties File Format." For more information, visit Properties File Format.

  2. Write a decryption class file in Java. The class definition must meet the following requirements:

    • A parameterless constructor function must be defined.

    • The class must have a non-static method: public String decrypt(String encryptRaw). The encryptRaw formal parameter indicates the encrypted text. The return value is the decrypted text.

  3. Package the decryption class as a JAR package and place the package in the {ob-loader-dumper}/lib/ directory.

  4. Configure corresponding content in decrypt.properties in the {ob-loader-dumper}/conf directory.

Examples

Create a Maven project and write a CustomDecryptor class. Use Base64 for encoding and decoding.

Note

In a production environment, you can choose an appropriate encryption/decryption algorithm as needed.

  1. Create a plaintext file for encryption and encode the file by using Base64.

    # Create a plaintext file.
$ vi password.txt
# Enter the following content in the file. Then, save the file and exit.
oceanbase.jdbc.password=******
oceanbase.jdbc.sys.password=******

# Encrypt the encoded file as custom.key.
$ echo $(base64 password.txt) > /user/loaddump/custom.key

  2. Create a Java project. In the project, CustomDecryptor.java is a custom decryption class that you need to write.

customdecryptor

  1. Write the CustomDecryptor class.

    package com.example.decrypt;

import java.nio.charset.StandardCharsets;
import sun.misc.BASE64Decoder;

public class CustomDecryptor {

   public CustomDecryptor() {}

    /**
    * This method takes an encrypted string, decrypt it, and return it as a plain string.
    */
   public String decrypt(String encryptedRaw) throws Exception {
       BASE64Decoder decoder = new BASE64Decoder();
       return new String(decoder.decodeBuffer(encryptedRaw), StandardCharsets.UTF_8);
  }
}

  2. Package the CustomDecryptor class as a JAR package and place the package in the {ob-loader-dumper}/lib/ directory to finish setting the decryptor.

    $ mvn package && mv target/example-1.0-SNAPSHOT.jar path/to/ob-loader-dumper/lib/

  3. Enter corresponding content in decrypt.properties in the {ob-loader-dumper}/conf/ directory.

    # Absolute path of your secure file, whose name is secure.rsa by default.
secure.filePath=~/tmp/custom.key
# Absolute path of your private key. whose name is key.pem by default.
# privateKey.filePath=
# Decrypt class name. Fill in this field only if you need a custom mechanism of decryption.
decrypt.className=com.example.decrypt.CustomDecryptor

    Note

    If you use a custom SDK for encryption and decryption, the privateKey.filePath parameter is optional.

  4. Securely run OBLOADER & OBDUMPER.

    ./obdumper -hxx.x.x.x -P2883 -t example -D example --csv --all

    Note

    When you run OBLOADER & OBDUMPER, you do not need to explicitly declare the -p/--password or --sys-password option.

Last
Next

OceanBaseOceanBase

OceanBase, A Highly Scalable Database for Transactional, Analytical, and AI Workloads.

Company

About OceanBaseContact UsPartner

Product

OceanBase CloudOceanBase EnterpriseQuick StartDownloadPricing

Resources

DocsBlogWhite PaperTrust Center

Follow us

LinkedInLinkedInDiscordDiscordTwitterTwitterYoutubeYoutubeForumForumGitHubGitHubStack OverflowStack Overflow

© OceanBase 2024. All rights reserved | Cloud Service Agreement | Privacy Policy | Legal | Security

Contact Us