Changelog History
Page 1
-
v0.93.0 Changes
May 27, 2021π This release brings type awareness which improves transparent encryption on AcraServer. Type awareness means that it's possible to tell AcraServer what are the original data types for fields. During decryption, AcraServer will convert decrypted fields to their original data types. No need to change client application code to work with "binary data".
0οΈβ£ It's also possible to choose a default value for each data field if its decryption failed. AcraServer can send a a default value like "" instead of decryption errors, making developers' and users' life easier.
Core:
- AcraServer:
- Added type awareness and ability to map binary data to a certain data type when sending decrypted data back to the application. Extended encryptor_config which allow configure mapping application data type to proper database's type. #515, #517, #523, #519, #520
- Extended
encryptor_config
with new parameters: data_type
- specify data type expected by application. Acceptstr
,bytes
,int64
,int32
values. #515, #517default_data_value
- specify a placeholder (default value) to replace data that couldn't be decrypted. #515, #517response_on_fail
- specify action on decryption failure. Acceptsciphertext
(returns encrypted data as is),default_value
(returns values fromdefault_data_value
parameter),error
(returns error as DB error with message likeencoding error in column {column_name}
). #521, #533- Deprecated
tokenize
parameter inencryptor_config
and changed focus ontoken_type
parameter. Now is enough to specifytoken_type
parameter withouttokenize: true
to turn on tokenization. Read more in the documentation. #527 - Removed auto-generation poison record's keys but leaved for
acra-poisonrecordmaker
. It improves decryption due to omitting extra key generation and poison record recognition. #516 - Improvements in handling error cases on DB protocol layer. #511, #515, #517, #520, #528, #535, #537
- Improved sql parser and support of
set
command. #534 - Ignored legacy keys on startup loading to cache. #510, #522
- Improved PostgreSQL/MySQL protocol support. #525, #526, #539, #540, #541, #542, #543, #544
- AcraCensor:
- Removed legacy
IsForbidden
field from acra-censorβs logs. Read more here in notes. #508
- Removed legacy
- AcraKeys:
- Removed duplicate entries in
list
command. #530
- Removed duplicate entries in
- Other:
- Makefile target
install_dev_deps
install required golang's dependencies for development and code generation. #531
- Makefile target
π Documentation:
- π Improved description of AcraServer's encryptor_config, adding details and examples about data processing options: encryption, searchable encryption, masking, tokenization, type awareness, etc.
- β‘οΈ Updated "Debugging and troubleshooting" section with more tips and tricks.
Example projects and demos:
- β‘οΈ Python examples: updated to show type masking feature. #524, #529
- β‘οΈ acra-engineering-demo updated to show data type masking support. #46, #47, #48, #49, #50, #51.
- AcraServer:
-
v0.92.0 Changes
March 01, 2022π This release brings stability and performance fixes to AcraServer and AcraTranslator. It officially deprecates usage π§ of AcraConnector in favour of TLS everywhere. Some default configuration params are changed in favour of more secure & π better performance settings.
Core:
- AcraServer, AcraTranslator:
- Improved TLS certificate validation performance with CRL. #482
- Poison record detection turned off by default. Flag
--poison_detect_enable
changed default value fromtrue
tofalse
. #484 - Removed SecureSession and AcraConnector support as transport encryption. #481
- Improved and clarified log messages. Removed messages with
error
level for success cases (not detected poison record), clarified context of messages. #487 - Added suggestions in log messages how to solve issues with TLS connections. #493
- Improved in-memory caching keys:
- Added caching symmetric keys like asymmetric #489
- Added caching metadata about rotated keys #498
- Added new flag
--keystore_cache_on_start_enable
that turns on loading all keys into in-memory cache on startup. #497 - Changed default value for
--keystore_cache_size
parameter from-1
(which means no limits for cache) to 1000 (cache items). #497 - Legacy keys that were used with AcraConnector are now ignored during initial caching on startup. #510
- AcraServer:
- The default CryptoEnvelope has changed from
acrastruct
toacrablock
in the encryptor_config. Now AcraServer will use faster encryption by default. You can select which CryptoEnvelope to use in encryptor_config. See AcraStructs vs AcraBlocks documentation, #485 - Extended PostgreSQL's SQL syntax support with
null::<type>
type casts. #479 - Changed the default values for next CLI parameters:
--tls_client_id_from_cert
changed fromfalse
totrue
. Now AcraServer require app's TLS certificates and map them to keys. #481- Improved performance for:
querycapture
handler in AcraCensor. #483- transparent encryption and poison record detection. #487, #496
- searchable encryption. #490
- Removed next CLI parameters due to removed AcraConnector support:
--securesession_id
,--acraconnector_tls_transport_enable
,--acraconnector_transport_encryption_disable
. #481
- The default CryptoEnvelope has changed from
- AcraTranslator:
Now AcraTranslator works with TLS by default, it doesn't support AcraConnector anymore. #481
- Removed next CLI parameters due to removed AcraConnector support:
--securesession_id
,--acratranslator_tls_transport_enable
,--acraconnector_transport_encryption_disable
. #481
- AcraKeymaker:
- AcraKeys:
- Removed next key types for all commands (generate, read, destroy):
transport-connector
,transport-server
,transport-translator
. #481
- Removed next key types for all commands (generate, read, destroy):
- AcraConnector:
- Removed everywhere and stopped support. Switch to TLS instead, see Security controls > Transport Security > TLS, #481
Example projects and demos:
- π Python examples: now support MySQL database. #476
- AcraServer, AcraTranslator:
-
v0.91.0 Changes
December 16, 2021Core:
- AcraWebConfig, AcraAuthManager:
- Have been deprecated and not supported anymore #456. The following changes have been made:
- removed
docker/acra-authmanager.dockerfile
,docker/acra-webconfig.dockerfile
files. - removed
acra-webconfig
andacra-authmanager
fromdocker/acra-build.dockerfile
file that is base image for all other service's images. - removed
acra-webconfig
andacra-authmanager
from alldocker/docker-compose.*.yml
files. - reserved event codes for log entries in range [550, 558] related to AcraWebConfig.
- AcraConnector:
- Has been deprecated and will be removed in the next releases. AcraServer and AcraTranslator will accept only direct TLS. See Transport security/TLS. connections from applications.
- Removed mentions and usage from acra-engineering-demos.
- AcraKeymaker:
- AcraKeys:
read
command supports symmetric encryption keys with ClientID and ZoneID #472.generate
command:- supports rotation for symmetric encryption keys with ZoneID #472.
- deprecates next flags:
--acraconnector_transport_key
,--acraserver_transport_key
,--acratranslator_transport_key
. - removed
--acrawebconfig_symmetric_key
flag according to AcraWebConfig/AcraAuthManager deprecation #456. - Improved handling CLI parameters related to Redis #459.
- AcraServer:
- AcraTranslator:
- Accepts
POST
HTTP request method additionally toGET
for v2 API. MethodGET
marked as deprecated and warns with log message.Deprecated HTTP GET method was used. Please use HTTP POST method instead.
if was used #466.
- Accepts
Infrastructure:
- π Build binaries with
-tags netgo
flag, that forces usage of Go resolver to solve issues related to resolving hostnames. between Docker containers. Updatedacra-build.dockerfile
used as base image for allcossacklabs/acra-*
images (#452). - β Added missing parameter
--keystore=v1
for existing docker-compose files that caused errors (#452).
π Documentation:
- β‘οΈ Has been updated :)
- π Improved guide about integration AcraTranslator into infrastructure.
- π Extended description for AcraTranslator's HTTP API.
Example projects and demos:
- Python examples: now work with TLS connections to
AcraServer/Database. Also has been updated sqlalchemy version and binary column type from
Binary
toLargeBinary
#463. - acra-engineering-demos don't illustrate AcraConnector usage anymore. All applications and services connect to AcraServer directly.
- AcraWebConfig, AcraAuthManager:
-
v0.90.0 Changes
November 05, 2021π New:
- π Updated documentation:
Acra's documentation is now open-source and updated for this release. Please find use cases, usage scenarios, data flows, descriptions of security controls, cryptography deep dive, scaling and load balancing, optimisations and many more.
Check out the updated documentation.
- Searchable encryption:
Two components can provide searchable encryption functionality:
- AcraServer β transparent searchable encryption of fields marked as searchable in
encryptor_config
forINSERT
andUPDATE
queries, calculating hash and searching by hash forSELECT
queries, with per column configuration. - AcraTranslator β provides gRPC and HTTP API calls to encrypt data field into searchable form, and to generate searchable hash from the plaintext search query.
Read more details in the Acra documentation section dedicated to Searchable encryption.
Masking:
AcraServer β provides masking functionality. It is transparent masking for
INSERT
andUPDATE
queries, and transparent demasking forSELECT
queries, with per column configuration. Read more details in the Acra documentation section dedicated to Masking.Tokenization (Pseudonymisation):
Two components can provide tokenization functionality:
- AcraServer β transparent tokenization for INSERT and UPDATE queries, and transparent detokenization for SELECT queries, with per column configuration.
- AcraTranslator β provides gRPC and HTTP API to tokenize or detokenize the field.
Read more details in the Acra documentation section dedicated to Tokenization.
- AcraBlock:
AcraBlock is a symmetric cryptographic container and is faster and more compact than AcraStruct. It used on AcraServer side in transparent encryption, masking, tokenization, searchable encryption.
AcraTranslator supports AcraBlocks in encryption, searchable encryption and tokenization via gRPC and HTTP API.
Read more details in the Acra documentation section dedicated to AcraBlock.
** KeyStore v2** Added new storage format for keys in KeyStore that cryptographically strong key integrity checks, additional tracking metadata simplifying key management, KMS integrations. Read more details in the Acra documentation about difference between two versions.
HashiCorp Vault integration:
All Acra services that work with encryption/intermediate keys can load master key
ACRA_MASTER_KEY
from HashiCorp Vault. Previously was supported only environment variables.Read more details on our KMS integration page in the documentation.
Core:
- AcraServer:
- We recommend using AcraServer in transparent encryption mode, connecting to it via TLS from application side. Use AcraServer with AcraBlocks for faster & more efficient configuration. AcraConnector and AcraWriter are optional components, and can be omitted.
Read more details on our Integrating AcraServer into infrastructure.
- Added prepared statements support for MySQL. Now all transparent operations over the data works with prepared statements too.
Extended and refactored TLS related CLI parameters.
tls_client_id_from_cert
- switching to new mode with clientID extraction from certificates instead of handshakes with AcraConnector or static mode with--client_id
parameter.- OCSP-related:
tls_ocsp_url
,tls_ocsp_client_url
,tls_ocsp_database_url
- URL of OCSP server to use, foracra-server
may be configured separately for both directions.tls_ocsp_required
- whether to allow "unknown" responses, whether to query all known OCSP servers (including those from certificate).tls_ocsp_from_cert
- how to treat URL listed in certificate (use or ignore, whether to prioritize over configured URL).tls_ocsp_check_only_leaf_certificate
- whether to stop validation after checking first certificate in chain (the one used for TLS handshake).
- CRL-related:
tls_crl_url
,tls_crl_client_url
,tls_crl_database_url
- URL of CRL distribution point to use, foracra-server
may be configured separately for both directions.tls_crl_from_cert
- how to treat URL listed in certificate (use or ignore, whether to prioritize over configured URL).tls_crl_check_only_leaf_certificate
- whether to stop validation after checking first certificate in chain (the one used for TLS handshake).tls_crl_cache_size
- how many CRLs to cache in memory.tls_crl_cache_time
- how long cached CRL is considered valid and won't be re-fetched.
Separated parameters for connections accepted from application/AcraConnector or established to database with TLS:
acra-server
's certificate:tls_client_cert
andtls_database_cert
(overridestls_cert
).acra-server
's key:tls_client_key
andtls_database_key
(overridestls_key
).- CA certificate path:
tls_client_ca
andtls_database_ca
(overridestls_ca
). - TLS authentication:
tls_client_auth
andtls_database_auth
(overridestls_auth
).
Supports
RETURNING
syntax in SQL queries with proper decryption data in the response.--sql_parse_on_error_exit_enable
new flag that forceacra-server
to stop query execution if can't parse SQL query. By default, it isfalse
.Improved encryptor config validation.
Deprecated
--acrastruct_wholecell_enable
and--acrastruct_injectedcell_enable
flags and will be ignored. Nowacra-server
works as in InjectedCell mode.Deprecated
--tls_db_sni
parameter and replaced withtls_database_sni
.- AcraTranslator:
We recommend using AcraTranslator as gRPC or HTTP API, connecting to it via TLS from application side. Use AcraTranslator with AcraBlocks for faster & more efficient configuration.
Read more details on our Integrating AcraTranslator into infrastructure.
--acratranslator_client_id_from_connection_enable
flag turns on mapping TLS certificates to encryption keys with .- Extended HTTP API as version 2 and gRPC API with supporting all new features like Searchable encryption, Tokenization, symmetric key encryption with AcraBLock and synchronized with gRPC API.
HTTP API version 2 with OpenAPI and Swagger support.
- AcraServer, AcraTranslator
audit_log_enable
- new parameter turns on cryptographically signed audit logging. Read more in the Acra documentation.Support direct TLS connections from applications without AcraConnector.
acra-server
andacra-translator
will map client's certificates to proper encryption keys in KeyStore.tls_identifier_extractor_type
- new parameter that configures strategy of extraction metadata from certificates for mapping to clientID (default:distinguished_name
, another option:serial_number
).- AcraServer, AcraTranslator, AcraConnector
TLS certificate validation using OCSP and CRL. All services and tools that accepts incoming connections can be configured with new rules of connection validation. Read more details in the Acra documentation section dedicated to TLS configuration.
--log_to_console
- parameter turns on\off logging to stderr.--log_to_file
- parameter specify path to file for logs. May be used together with logging to stderr.- AcraKeymaker New flags to generate new kind of keys for new features:
--generate_hmac_key
- flag turns on generation symmetric key for HMAC used in searchable encryption.--generate_log_key
- flag turns on generation symmetric key for cryptographically signed audit logging.--generate_symmetric_storage_key
- flag turns on generation symmetric key for encryption with AcraBlocks.--keystore
- specify version of KeyStore. Now supportedv1
(default) andv2
(new) versions.
New flags to generate encryption keys for TLS certificates:
--tls_cert
- specify client's TLS certificate to generate encryption keys. Should be used instead--client_id
flag.--tls_identifier_extractor_type
- switch type of ClientID extraction from TLS certificate. Supportsdistinguished_name
(default) andserial_number
values.- AcraAddZone
--fs_keystore_enable
now is deprecated and ignored.- AcraTokens
acra-tokens
is a new command-line utility used for managing generated tokens with turned on tokenization. Tokens may be stored in BoltDB or Redis for now. Read more details in the Acra documentation. - AcraBackup
acra-backup
is a command-line utility used for storing and managing the keystore backups. Also, it helps to migrate keys from one KeyStore to another one byexport
+import
operations. Read more details in the Acra documentation on acra-backup page. - AcraKeys
acra-keys
is a command-line utility used for different keys operations especially for v2 keystore. It consists of several subcommands each of which is responsible for a separate functionality. - Other
- AcraTokens
Support of RHEL >= 7
Build image use Debian 10 instead of Debian 9
Configurable build and install parameters in Makefile (see
make help
)Self-documented Makefile
Makefile
pkg
target with automatic detection of OS (use it instead ofrpm
anddeb
)Makefile targets
dist
,temp_copy
docker_push
target replaced withdocker-push
-
v0.85.0 Changes
March 15, 2018π 0.85.0, March 15th 2018
Core:
π₯ Breaking changes:
π§ Introducing a new more flexible configuration format for AcraCensor rules. AcraCensor doesn't support the old format, all users should migrate (don't worry, it's a simple procedure).
Search through encrypted data
You now can run SQL queries over encrypted AcraStructs allowing users to search through sensitive data without exposing it. This feature is only available in Acra Enterprise version.
Transparent proxy mode
TLDR: Transparent proxy mode allows you to configure AcraServer to encrypt records in specific database columns without altering the application code.
π The application flow doesn't need to change: application sends SQL requests through AcraConnector and AcraServer to the database. AcraServer parses each request, encrypts the desired values into AcraStructs, and passes the modified requests to the database. To retrieve the decrypted data, your application talks to AcraServer again: upon receiving the database response, AcraServer tries to detect AcraStructs, decrypts them, and returns the decrypted data to the application.
β‘οΈ Transparent proxy mode is useful for large distributed applications where updating the source code of each client app separately would be complicated.
To enable this mode, you need to create a separate encryptor configuration file (
acra-encryptor.yaml
) that describes which columns to encrypt and provide a path to it in the AcraServer configuration file (or via CLI params--encryptor_config_file=acra-encryptor.yaml
).π Read more details in the Readme and in the Acra documentation section dedicated to Transparent encryption.
AcraCensor β SQL firewall to prevent SQL injections
TLDR: Improved stability of AcraCensor, switched to more flexible rules' configuration.
π₯ Breaking changes: Introducing a new format for configuration files, the previous format is no longer supported, you should migrate to the new one.
π New configuration file format allows configuring the allowlist and the denylist separately or simultaneously.
The
allow
handler allows something specific and restricts/forbids everything else. Theallowall
handler should be a final statement as that means that all the other queries will be allowed.The
deny
handler allows everything and forbids something specific. Thedenyall
means "block all queries!" (that haven't been allowed or ignored before).π§ For each handler, there are settings that regulate queries, tables, and patterns. The order of priority for the lists is defined by their position in the configuration file. The processing priority for each list is as follows: queries, followed by tables, followed by patterns.
π Read more in AcraCensor docs.
β Added version to the configuration file. This allows detecting an outdated configuration easily. From now on, AcraCensor supports explicit configuration version and logs errors if the configuration is not valid (#321).
π Improved parsing of SQL queries with prepared statements (#303, #283).
π Improved error handling for queries that AcraCensor can't parse (#291, #284).
β Added ability to log unparsed queries to a separate log file for the debugging and configuration purposes. Sometimes AcraCensor can't parse all of the incoming queries and it is useful to have a separate log for them.
How to use it: Provide the path to the unparsed queries log file in the configuration file
parse_errors_log: unparsed_queries.log
(#295).π Improved support of PostgreSQL queries (
"RETURNING"
clause) and quoted identifiers (now you can use"tablename"
andWHERE "column"=1
) (#296).π Fixed the bug in QueryCapture log that caused duplicated of records in the log to appear (#318).
AcraServer
π Fixed handling of null-size packets in PostgreSQL protocol (#286).
π Fixed handling of setting a custom connection API port (#294).
π Fixed handling of the plain text data response: if the database returns a plain text response, it is redirected "as is" (#305).
π Fixed handling of casted placeholders in expressions like
SELECT $1::type1::type2 FROM table1 WHERE column1=$2::type3::type4
(#328).π Improved code quality (some refactoring here and there) (#302, #301).
AcraServer, AcraTranslator, AcraConnector
π¨ Refactored logs and error messages got even more descriptive and user-friendly (#312, #299, #317).
β Added on-start version logging to make it easier to understand which version is running (#319).
β Added versioning for configuration files of each service (#322).
β Added exporting version to metrics (#330, #320).
π Updated some configuration parameters descriptions for better user-friendliness (please see our docs of AcraConnector and AcraServer for detailed descriptions of each parameter and usage examples) (#329).
AcraWriter
β‘οΈ Updated AcraWriter for ActiveRecord (Ruby), fixed dependencies, added support of mysql2 adapter (#287).
β‘οΈ Updated AcraWriter for Django (Python), fixed potential encoding issues (#293, #292).
β‘οΈ Updated AcraWriter for C++, improved cpp codec usage (#290, #289).
β Added bitcode for AcraWriter iOS and added Swift example project (#327, #326, #325, #324, #323, #323, #307).
π Improved distribution of AcraWriter for Android, now it's available via Maven (#310).
Other
β Added more tests and then β added even more tests. We just love automating things! (#331, #311, #308, #292).
β‘οΈ Updated the version of pyyaml used in the tests due to CVE-2017-18342. This change doesn't affect the users of Acra, it only affects our test suite (#300).
Infrastructure:
Example projects and demos:
iOS Swift example project that shows how to generate AcraStructs with and without Zones.
Android example project that shows how to integrate AcraWriter library into Android app using maven, and then to generate AcraStructs with and without Zones, and to decrypt them using AcraTranslator.
π§ AcraCensor demo that shows how to configure AcraCensor for SQL injections prevention in OWASP Mutillidae 2 example app.
π Protecting data in a Rails application demo based on AcraServer, PostgreSQL, and Ruby on Rails client application.
Protecting metrics in TimescaleDB demo based on AcraServer, TimescaleDB, and Grafana.
π§ Transparent proxy mode demo that shows how to configure AcraServer in Transparent proxy mode to protect Django-based application.
Related blog posts:
π The difference between SQL firewalls and Web Application Firewalls.
π Engineering details on how we built AcraCensor.
π Features coming soon:
π Pseudonymisation: an early version of pseudonymisation library/plugin for Acra for transparent data pseudonymisation.
π Cryptographically protected audit log: protection for logs against tampering.
π Documentation:
π Updated AcraServer documentation to describe Transparent mode in more details.
π Updated AcraCensor documentation to describe the new configuration format and procedures for migration from the previous one.
π Updated AcraWriter documentation for iOS and Android to reflect the improved installation ways.
-
v0.84.2 Changes
February 19, 2019π 0.84.2, February 19th 2019
π Hotfix:
π Fixed an issue in communication of AcraServer and PostgreSQL that causes AcraServer to stop processing connection due to an unexpected error in parsing packets. The issue occurred when last data in data row column from PostgreSQL comes with empty data (0 bytes).
Details: #315
-
v0.84.1 Changes
January 25, 2019π 0.84.1, January 25th 2019
π Hotfix:
π Fixed an issue in communication of AcraServer with some specific ORMs (xorm precisely) with MySQL database. In some cases, when database has plaintext data, AcraServer can't decrypt it (which is ok), but propagates decryption error and closes connection (which is wrong, it's fixed).
Details: #305
-
v0.84.0 Changes
November 09, 2018π 0.84.0, November 9th 2018
Core:
Key management
- Improved LRU cache: fixed concurrent access to LRU cache by adding mutex. LRU cache is used for quick access to in-memory keys (private keys are stored encrypted) in AcraServer and AcraTranslator (#272).
π AcraServer documentation, AcraTranslator documentation.
- Improved AcraRotate utility: added "dry-run" mode for testing AcraRotate before it is used for real. In the "dry-run" mode AcraRotate doesn't rotate keys: it fetches AcraStructs (from files or database), decrypts, rotates in-memory keys, encrypts the data with new public keys and prints the resulting JSON with new public keys without actually saving the rotated keys and AcraStructs. As key rotation might be tricky, we want users to make sure that AcraRotate has all the required permissions and access right before actually re-encrypting the data (#269).
π AcraRotate documentation.
AcraWriter
- Added C++ AcraWriter library, added examples and tests. The library itself is a single header-only file
acrawriter.hpp
with dependency on Themis, placed in wrappers/cpp.
Read the usage guide and examples in examples/cpp folder (#270).
π AcraWriter C++ documentation.
π² Logging
π Improved logs of AcraConnector and AcraServer: use Debug log level for all network errors (closed connection, unavailable network, etc) and use Error log level only for cases of certainly unexpected behavior (#275).
π Improved startup logs: log process PID on start of AcraServer, AcraConnector, AcraTranslator, and AcraWebConfig (#275).
π Fixed timestamps: do not overwrite logs' timestamps (#273).
Tracing with OpenCensus
- Added tracing with OpenCensus: AcraServer, AcraConnector, and AcraTranslator track every request from client application to the database and back. Each client request has a unique
traceID
that helps measure how much time it needs to perform a certain data processing functions (i.e. checking requests via AcraCensor, encrypting data, decrypting AcraStructs, etc.). Traces can be exported to Jaeger (#279, #276, #274).
π You can read more about tracing in our documentation in Tracing in Acra.
A blogpost about technical details, profits, and pitfalls during the implementation of traces is coming soon.
Other
π Improved AcraServer's connection handling: stop accepting connections after error and stop AcraServer instead of trying to accept connections after the listening socket was closed (#275).
π Improved AcraCensor's handling of prepared statements for PostgreSQL binary protocol (#280).
π Improved handling of terminating packets (COM_QUIT for PostgreSQL and TerminatePacket for MySQL) to correctly handle the closing connections from clients (#275).
π¨ Refactored inner logic of AcraCensor: improved code quality and stability, added more tests that use more patterns (#268).
Infrastructure:
π Ceased testing and supporting Go versions below 1.9. This will only affect the users who build Acra manually from sources.
π³ You can install the pre-built Acra components shipped for various Ubuntu, Debian, and CentOS distributives using Installation guide. Alternatively, you can check out our Docker images and Docker-compose files in docker folder (#277).β‘οΈ Tested Acra suite with PostgreSQL v11 and MariaDB v10.3 and updated docker compose examples and Acra Engineering Demo to use it (#278).
π Published Acra load balancing demo: it illustrates some of the many possible variants of building high availability and balanced infrastructure based on Acra data protection suite components, PostgreSQL, and Python web application. In these examples we used HAProxy β one of the most popular high availability balancers today.
β‘οΈ Updated AcraStruct Validator β an online tool that can decrypt your AcraStructs. AcraStruct Validator is useful for developers who build their own AcraWriters (to validate AcraStruct binary structure).
π Features coming soon:
β Running SQL queries over encrypted data: perform AcraServer-side lookups (search) over protected data.
π Pseudonymisation: early version of pseudonymisation library/plugin for Acra for transparent data pseudonymisation.
π Cryptographically protected audit log: protection for logs against tampering.
π Documentation:
π AcraWriter C++ has a short guide for installing and using AcraWriter for C++.
π AcraRotate: added description and notes about "dry-run" mode.
π Updated documentation for logging, collecting metrics, and tracing in Acra.
π Many small fixes here and there to make your overall experience of using Acra's docs on a new platform distinctive and smooth ;)
-
v0.83.0 Changes
September 28, 2018π 0.83.0, September 28th 2018
Core:
π Security
β‘οΈ Updated the default and allowed TLS configurations (#254).
Use TLS v1.2 (the latest supported version in Golang now) and limited cipher suite recommended by Internet Assigned Numbers Authority and OWASP for most transport connections.
π Use TLS v1.0 and extended cipher suit for MySQL TLS connections due to the limited support of MySQL database and drivers.
π Improved security of transport connection between Acra's services by validating the clientId length. This decreases the chance of misusing the clientId (#253).
Key management β key rotation
Added AcraRotate utility for rotation of Zone keys and re-encryption of AcraStructs. AcraRotate generates a new Zone keypair (
zoneid_zone.pub
andzoneid_zone
) for a particular ZoneId and re-encrypts the corresponding AcraStructs with new keys. ZoneId stays the same (#256, #239).AcraRotate doesn't affect the
ACRA_MASTER_KEY
or storage keypair used without Zones (clientid_storage.pub
/clientid_storage
keys).AcraRotate rotates only the Zone storage keys and affects only the AcraStructs encrypted with Zones.
AcraRotate works with AcraStructs stored both in database cells (MySQL or PostgreSQL) or files.
π Read the full documentation on AcraRotate on the Documentation Server.
AcraCensor β SQL filter and firewall
π Improved SQL filtering through more complex pattern matching (#264, #263, #262, #238).
- `%%VALUE%%` pattern represents literal value (string, binary, number, boolean) and is supported in the following expressions: WHERE, IN, ORDER BY, GROUP BY, BETWEEN. - `%%LIST_OF_VALUES%%` pattern represents several values one by one, used with IN expressions. - `%%SUBQUERY%%` pattern represents a subquery expression inside the main query. - `%%WHERE%%` pattern represents one or more expressions after a WHERE statement. This pattern works for SELECT/UPDATE/DELETE queries. - `%%COLUMN%%` pattern represents a column expression used after SELECT and ORDER BY expressions. - `%%SELECT%%` pattern represents a whole SELECT expression.
π Read the detailed description and usage examples on the AcraCensor page on DocServer.
AcraWriter
β Added Java/Android AcraWriter library, added examples and tests (#252).
Read the usage guide and examples in examples/android_java folder.
β Added SQLAlchemy type wrappers for the Python AcraWriter (#257).
π Improved and refactored the Python AcraWriter example of encrypting data and reading it from the database (#258).
Prometheus Metrics
- Added functionality for exporting the basic metrics of AcraServer, AcraConnector, and AcraTranslator to Prometheus: if
incoming_connection_prometheus_metrics_string
is set, the service will generate specific metrics (time of connection life, time of processing requests, AcraStruct decryption counters) and push them to Prometheus (#260, #251, #234).Other
π Improved AcraConnector's compatibility with PostgreSQL: AcraConnector now correctly handles the database's denial to use TLS connection (#259).
β Added export of CLI parameters for AcraServer, AcraConnector, and AcraTranslator to markdown (#261).
π Improved readability of CEF-formatted logs by sorting extension fields in alphabetical order (#255).
π Improved quality of our codebase β cleaned up the old unnecessary code (#250).
Infrastructure:
- β Added AcraRotate as a ready-to-use tool inside AcraTranslator and AcraServer Docker containers (#236).
π Documentation:
π Made the Documentation Server the primary and the only regularly updated source of documentation for Acra. The most recent version of the documentation, tutorials, and demos for Acra can be found there. The GitHub Wiki documentation for Acra is still available, but is no longer updated starting with the version 0.82.0 (with the exception of Changelog and README files with every new version release).
π AcraCensor: updated the details on how the "patterns" filter works.
π AcraRotate: added a tutorial for using AcraRotate to rotate Zone keys and re-encrypt the data.
π Tons of small fixes here and there to make your overall experience of using Acra's docs on a new platform distinctive and smooth ;).
-
v0.82.0 Changes
August 14, 2018Core:
AcraTranslator
AcraTranslator is a lightweight server that receives AcraStructs and returns the decrypted data. AcraTranslator doesnβt care about the source of the data, it accepts AcraStructs via HTTP or gRPC API. An application can store AcraStructs anywhere it is convenient: as cells in the database, as files in the file storage (local or cloud storage, like AWS S3). An application sends AcraStructs as binary data and receives plaintext (or decryption error) from AcraTranslator.
However, sending plaintext data over a non-secure channel is a bad idea, so AcraTranslator requires the use of Themis Secure Session encryption channel (which is basically an encrypted TCP/unix sockets). To establish a Secure Session connection, an application doesnβt need to contain the crypto-code itself, only to direct the traffic through AcraConnector instead.
π³ AcraTranslator supports AcraStructs via HTTP and gRPC API, uses in-memory LRU cache to store encryption keys, and detects poison records. AcraTranslator is shipped as a pre-built binary and as a Docker container.
π§ Read the detailed guide on how to install, configure, and run AcraTranslator.
(#213, #212, #207, #205, #204, #203, #200, #199, #198, #197)
β‘οΈ Updated AcraConnector to support connections with AcraTranslator (#206).
π² Logging
π Improved startup logs for AcraServer, AcraTranslator, and AcraConnector: now it's easier to understand that the service is up and running (#242).
β Added clientId to AcraServer logs: now it's easier to understand which client was sending the request that led to a failed or successful AcraStruct decryption (#214).
π Improved logging by masking query parameters: neither AcraServer nor AcraCensor won't leak sensitive query while logging the content (#216, #211).
Poison records
0οΈβ£ Poison record detection for AcraServer and AcraTranslator can now be turned on and off. Poison records detection is ON by default: AcraServer/AcraTranslator will try to detect poison record and log to stderr if a poison record is detected (#240, #230, #215).
π Increased performance of AcraServer/AcraTranslator if poison records are enabled (#232).
Key management
π Improved processing of decryption keys for AcraServer, AcraTranslator, and AcraConnector: now it is possible to store private keys encrypted in files and in memory, decrypt them before using, and purge after usage (#202).
β Added configurable LRU cache for the in-memory keys: this will increase the performance if you operate with hundreds of storage keys on AcraServer and AcraTranslator (#219).
AcraCensor / SQL filter and firewall
- Improved SQL filtering by adding pattern matching: now you can blacklist or whitelist queries that match particular patterns, like
SELECT %%COLUMN%% FROM company %%WHERE%%
.
π Currently supported patterns:
%%VALUE%%
,%%COLUMN%%
,%%WHERE%%
and%%SELECT%%
.Read the detailed description and usage examples on the AcraCensor page.
(#248, #247, #246, #245, #243, #238, #231, #226, #217)
- Improved AcraCensor performance for queries matching (#208).
AcraWriter
- Added iOS/Objective-C AcraWriter library as CocoaPod, added examples and tests.
Read the usage guide and examples in examples/objc folder.
- Improved security of AcraWriter libs for Go, Ruby, Nodejs, and iOS through zeroing secret keys where it was missing (#244).
βͺ AcraRollback
- Improved handling of
insert
query parameter to simplify using AcraRollback from bash (#210).Other
π Improved AcraStruct decryption by multiple validations of AcraStruct format before decrypting. This fix improves AcraServer/AcraTranslator error messages in case of a failed decryption (#201).
π Improved stability of integration test suite, trying to avoid 'timed out' errors from CircleCI (#200).
π Improved code quality, fixing gofmt and golint issues (#229, #228, #227, #224, #223, #221).
π§ WIP
β Adding a way to export decryption metrics (decryption time, number of connections) from AcraServer to Prometeus (#234).
Prototyping AcraRotate tool for rotating the Zone keys easily (#239).
Infrastructure:
β¬οΈ Drop testing and supporting go version below 1.8. This will only affect the users who build Acra manually from sources.
π³ You can install pre-built Acra components shipped for various Ubuntu, Debian, and CentOS distributives using Installation guide. Alternatively, you can check out our Docker images and Docker-compose files in docker folder
(#209).β Added AcraTranslator as pre-built binary and docker container (#222).
β Added AcraTranslator and AcraConnector docker-compose files: now it's easy to set up a demo stand just by running one command (#225).
β Added AcraRollback and AcraPoisonRecordMaker as ready-to-use tools inside AcraTranslator and AcraServer Docker containers (#236).
π Documentation:
0οΈβ£ Key management: clarified key names and default locations, illustrated public key exchange in details.
AcraServer: improved examples of how to run AcraServer.
AcraTranslator: added description of the service, installation and launching guide, added ready-to-use examples for HTTP and gRPC API.
AcraConnector: added examples of how to run AcraConnector with AcraTranslator.
π§ AcraCensor: added examples of the configuration file, described in details how the "patterns" filter works.
βͺ AcraRollback: added examples of running AcraRollback in local mode, which allows storing the decrypted data locally, without pushing it back to the database.
π This is the last version of Acra for which the main documentation will be actively updated in the GitHub Wiki. From now on, the most recent version of the documentation, tutorials, and demos for Acra will be available in the official Cossack Labs Documentation Server.
- Improved SQL filtering by adding pattern matching: now you can blacklist or whitelist queries that match particular patterns, like