Β« Changelog History


acra v0.82.0 Release Notes

Release Date: 2018-08-14 // over 5 years ago

  • Core:

    AcraTranslator

    AcraTranslator is a lightweight server that receives AcraStructs and returns the decrypted data. AcraTranslator doesn’t care about the source of the data, it accepts AcraStructs via HTTP or gRPC API. An application can store AcraStructs anywhere it is convenient: as cells in the database, as files in the file storage (local or cloud storage, like AWS S3). An application sends AcraStructs as binary data and receives plaintext (or decryption error) from AcraTranslator.

    However, sending plaintext data over a non-secure channel is a bad idea, so AcraTranslator requires the use of Themis Secure Session encryption channel (which is basically an encrypted TCP/unix sockets). To establish a Secure Session connection, an application doesn’t need to contain the crypto-code itself, only to direct the traffic through AcraConnector instead.

    🐳 AcraTranslator supports AcraStructs via HTTP and gRPC API, uses in-memory LRU cache to store encryption keys, and detects poison records. AcraTranslator is shipped as a pre-built binary and as a Docker container.

    πŸ”§ Read the detailed guide on how to install, configure, and run AcraTranslator.

    (#213, #212, #207, #205, #204, #203, #200, #199, #198, #197)

    ⚑️ Updated AcraConnector to support connections with AcraTranslator (#206).

    🌲 Logging

    πŸ‘Œ Improved startup logs for AcraServer, AcraTranslator, and AcraConnector: now it's easier to understand that the service is up and running (#242).

    βž• Added clientId to AcraServer logs: now it's easier to understand which client was sending the request that led to a failed or successful AcraStruct decryption (#214).

    πŸ‘Œ Improved logging by masking query parameters: neither AcraServer nor AcraCensor won't leak sensitive query while logging the content (#216, #211).

    Poison records

    0️⃣ Poison record detection for AcraServer and AcraTranslator can now be turned on and off. Poison records detection is ON by default: AcraServer/AcraTranslator will try to detect poison record and log to stderr if a poison record is detected (#240, #230, #215).

    🐎 Increased performance of AcraServer/AcraTranslator if poison records are enabled (#232).

    Key management

    πŸ‘Œ Improved processing of decryption keys for AcraServer, AcraTranslator, and AcraConnector: now it is possible to store private keys encrypted in files and in memory, decrypt them before using, and purge after usage (#202).

    βž• Added configurable LRU cache for the in-memory keys: this will increase the performance if you operate with hundreds of storage keys on AcraServer and AcraTranslator (#219).

    AcraCensor / SQL filter and firewall

    • Improved SQL filtering by adding pattern matching: now you can blacklist or whitelist queries that match particular patterns, like SELECT %%COLUMN%% FROM company %%WHERE%%.

    πŸ‘ Currently supported patterns: %%VALUE%%, %%COLUMN%%, %%WHERE%% and %%SELECT%%.

    Read the detailed description and usage examples on the AcraCensor page.

    (#248, #247, #246, #245, #243, #238, #231, #226, #217)

    - Improved AcraCensor performance for queries matching (#208).

    AcraWriter

    • Added iOS/Objective-C AcraWriter library as CocoaPod, added examples and tests.

    Read the usage guide and examples in examples/objc folder.

    (#241, #235, #233).

    - Improved security of AcraWriter libs for Go, Ruby, Nodejs, and iOS through zeroing secret keys where it was missing (#244).

    βͺ AcraRollback

    - Improved handling of insert query parameter to simplify using AcraRollback from bash (#210).

    Other

    πŸ‘Œ Improved AcraStruct decryption by multiple validations of AcraStruct format before decrypting. This fix improves AcraServer/AcraTranslator error messages in case of a failed decryption (#201).

    πŸ‘Œ Improved stability of integration test suite, trying to avoid 'timed out' errors from CircleCI (#200).

    πŸ‘Œ Improved code quality, fixing gofmt and golint issues (#229, #228, #227, #224, #223, #221).

    🚧 WIP

    βž• Adding a way to export decryption metrics (decryption time, number of connections) from AcraServer to Prometeus (#234).

    Prototyping AcraRotate tool for rotating the Zone keys easily (#239).

    Infrastructure:

    ⬇️ Drop testing and supporting go version below 1.8. This will only affect the users who build Acra manually from sources.
    🐳 You can install pre-built Acra components shipped for various Ubuntu, Debian, and CentOS distributives using Installation guide. Alternatively, you can check out our Docker images and Docker-compose files in docker folder
    (#209).

    βž• Added AcraTranslator as pre-built binary and docker container (#222).

    βž• Added AcraTranslator and AcraConnector docker-compose files: now it's easy to set up a demo stand just by running one command (#225).

    βž• Added AcraRollback and AcraPoisonRecordMaker as ready-to-use tools inside AcraTranslator and AcraServer Docker containers (#236).

    πŸ“š Documentation:

    0️⃣ Key management: clarified key names and default locations, illustrated public key exchange in details.

    AcraServer: improved examples of how to run AcraServer.

    AcraTranslator: added description of the service, installation and launching guide, added ready-to-use examples for HTTP and gRPC API.

    AcraConnector: added examples of how to run AcraConnector with AcraTranslator.

    πŸ”§ AcraCensor: added examples of the configuration file, described in details how the "patterns" filter works.

    βͺ AcraRollback: added examples of running AcraRollback in local mode, which allows storing the decrypted data locally, without pushing it back to the database.

    πŸ“š This is the last version of Acra for which the main documentation will be actively updated in the GitHub Wiki. From now on, the most recent version of the documentation, tutorials, and demos for Acra will be available in the official Cossack Labs Documentation Server.