Database encryption proxy for data-driven apps: strong selective encryption, SQL injections prevention, intrusion detection, honeypots.
Clone or download
Lagovas encode data to bytes in tests/generate_acrastruct.py (#292)
encode data to bytes before encryption
Latest commit 90479d1 Dec 12, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci Update config.yml (#277) Nov 6, 2018
acra-censor Censor fixes (#291) Dec 6, 2018
acra-writer metrics for acratranslator [T760, T662] (#251) Aug 17, 2018
benchmarks refactoring utils and deadlines [T696] (#250) Aug 17, 2018
cmd remove default endpoints for jaeger trace exporter (#281) Nov 7, 2018
configs remove default endpoints for jaeger trace exporter (#281) Nov 7, 2018
decryptor encode data to bytes in tests/generate_acrastruct.py (#292) Dec 12, 2018
docker Fixed comments in docker-compose files (#288) Nov 24, 2018
examples Update version of cppcodec for AcraWriter C++ example project (#290) Nov 26, 2018
fuzz check poison records after decryption for PostgreSQL [T685] (#230) Aug 2, 2018
keystore add tracing with opencensus (#274) Oct 23, 2018
logging refactor logs [T836] (#275) Oct 29, 2018
network refactor logs [T836] (#275) Oct 29, 2018
poison metrics for acratranslator [T760, T662] (#251) Aug 17, 2018
scripts Fixed acra-keymaker GOPATH in generate-keys script (#182) May 30, 2018
tests encode data to bytes in tests/generate_acrastruct.py (#292) Dec 12, 2018
utils Preparing for 0.84.0 release: update ChangeLog and Readme, update cod… Nov 9, 2018
wrappers Add mysql support to activerecord_acrawriter gem (#287) Nov 24, 2018
zone dry run rotate [T813] (#269) Oct 11, 2018
.DS_Store Docker folder content renamed; Makefile content renamed. Apr 24, 2018
.gitignore AcraWriter c++ with tests and examples (#270) Oct 11, 2018
CHANGELOG.md Preparing for 0.84.0 release: update ChangeLog and Readme, update cod… Nov 9, 2018
LICENSE add license Nov 23, 2016
Makefile Added AcraTranslator to Makefile and dockerfiles (#222) Jul 26, 2018
README.md fix two links on the quick-access menu Nov 29, 2018
acrawriter.podspec AcraWriter: prepare for publishing pod (#235) Aug 8, 2018
test.sh Add circleci tests for all official go version (#93) Feb 28, 2017

README.md

Acra: database security suite
Database protection suite with selective encryption and intrusion detection.


GitHub release Circle CI Coverage Status godoc
Server platforms Client platforms


Acra Live Demo Acra Engineering Demo Documentation Installation Examples and tutorials

What is Acra

Acra — database security suite for sensitive and personal data protection.

Acra provides selective encryption, multi-layered access control, database leakage prevention, and intrusion detection capabilities in a convenient, developer-friendly package. Acra was specifically designed for web and mobile apps with centralised data storage, including with distributed, microservice-rich applications.

Perfect Acra-compatible applications Typical industries
Web and mobile apps that store data in a centralised database or object storage
  • Healthcare
  • Finance
  • E-commerce
  • Critical infrastructures
  • Apps with > 1000 users
IoT apps that collect telemetry and process data in cloud
High-load data processing apps

Acra gives you tools for encrypting the data on the application's side into special cryptographic containers, storing them in the database or file storage, and then decrypting them in a secure compartmented area (separate virtual machine/container).

Cryptographic design ensures that no secret (password, key, etc.) leaked from the application or database will be sufficient for decryption of the protected data chunks that originate from it. Acra minimises the leakage scope, detects unauthorised behavior, and prevents the leakage, informing operators of the incident underway.

Major security features

  • Cryptographic protection of data
  • during storage and transmission
  • Selective encryption
  • protect only the sensitive data to have both good security and performance
  • Key management tools
  • built-in tools for key distribution, key rotation, and compartmentalisation
  • Trust compartmentalisation
  • datastore and application components can be compromised, yet the data is protected
  • Prevention of SQL injections
  • through a built-in SQL firewall
  • Intrusion detection system
  • to give an early warning about suspicious behaviour
  • Running SQL queries over encrypted data
  • coming in the (near) future releases
  • Pseudonymisation
  • Cryptographically protected audit log
  • Developer and DevOps friendly

  • Secure default settings
  • your infrastructure is secure from the start without additional configuring
  • Cryptography is hidden
    under the hood
  • no risk of selecting the wrong key length or algorithm padding
  • Automation-friendly
  • easy to configure and automate
  • Quick infrastructure integration
  • via binary packages or Docker images
  • Easy client code integration
  • client-side encryption libraries support ~10 languages
  • Logging, metrics, tracing
  • throughout all Acra components;
    compatible with ELK stack, Prometheus, Jaeger
  • No vendor lock
  • rollback utilities to decrypt database into plaintext
  • Demos and simulators
  • numerous web-based and Docker-based demo projects

    Cryptography

    Acra relies on our cryptographic library Themis, which implements high-level cryptosystems based on the best available open-source implementations of the most reliable ciphers. Acra strictly doesn't contain self-made cryptographic primitives or obscure ciphers. To deliver its unique guarantees, Acra relies on the combination of well-known ciphers and smart key management scheme.

    Default crypto-primitive source OpenSSL
    Supported crypto-primitive sources ᵉ BoringSSL, LibreSSL, FIPS-compliant, GOST-compliant, HSM
    Storage encryption AES-256-GCM + ECDH
    Transport encryption TLS v1.2+ / Themis Secure Session
    KMS integration ᵉ Amazon KMS, Google Cloud Platform KMS, Hashicorp Vault, Keywhiz

    ᵉ — available in the Enterprise version of Acra only. Drop us an email to get a full list of features and a quote.

    Try Acra without writing code

    Acra Live Demo (see Acra in action in one click)

    Acra Live Demo is a web-based demo of protecting data in a typical web-infrastructure (deployed on our servers for your convenience).

    Acra Live Demo infrastructure contains: Django-based application, PostgreSQL database, AcraServer with AcraCensor, log monitor. Sensitive data is encrypted in a Django application, stored in a database, and decrypted through Acra.

    From the users' perspective, the website's work is unchanged. However, the data is securely protected so that even hacking the web application won't lead to data leakage.

    The available actions include:

    Requirements: Chrome, Firefox, or Safari browser.

    Note: We create separate playground for each user, that's why we ask for your email; you'll receive the invitation link.

    🖥 Request Acra Live Demo 🖥

    How does Acra work?

    To better understand the architecture and data flow in Acra, please refer to the Architecture and data flow section in the documentation.

    Protecting data in SQL databases using AcraWriter and AcraServer

    Acra Server: simplified architecture

    This is what the process of encryption and decryption of data in a database looks like:

    • Your application encrypts some data through AcraWriter by generating an AcraStruct using Acra storage public key and then updates the database. AcraStructs generated by AcraWriter can't be decrypted by it — only the Acra's server side has the keys for decryption.
    • To retrieve the decrypted data, your application talks to AcraServer. It is a server-side service that works as database proxy: it sits transparently between your application and the database and listens silently to all the traffic that's coming to and from the database.
    • AcraServer monitors the incoming SQL requests and blocks the unwanted ones using the built-in configurable firewall called AcraCensor. AcraServer only sends allowed requests to the database. Certain configurations for AcraServer can be adjusted remotely using AcraWebConfig web server.
    • Upon receiving the database response, AcraServer tries to detect the AcraStructs, decrypts them, and returns the decrypted data to the application.
    • AcraConnector is a client-side daemon responsible for providing encrypted and authenticated connection between the application and AcraServer. AcraConnector runs under a separate user/in a separate container and acts as middleware. AcraConnector accepts connections from the application, adds an extra transport encryption layer using TLS or Themis Secure Session, sends the data to AcraServer, receives the result, and sends it back to the application.

    Protecting data in any file storage using AcraWriter and AcraTranslator

    Acra Translator: simplified architecture

    In some use cases, the application can store encrypted data as separate blobs (files that are not in a database, i.e. in a S3 bucket, local file storage, etc.). In this case, you can use AcraTranslator — a lightweight server that receives AcraStructs and returns the decrypted data.

    This is what the process of encryption and decryption of data using AcraTranslator looks like:

    • Your application encrypts some data using AcraWriter, generating an AcraStruct using Acra storage public key and puts the data into any file storage. AcraStructs generated by AcraWriter can't be decrypted by it — only the Acra's server side has the right keys for decrypting it.
    • To decrypt an AcraStruct, your application sends it to AcraTranslator as a binary blob via HTTP or gRPC API. AcraTranslator doesn’t care about the source of the data, it is responsible for holding all the secrets required for data decryption and for actually decrypting the data.
    • AcraTranslator decrypts AcraStructs and returns the decrypted data to the application.
    • To avoid sending plaintext via an unsecured channel, AcraTranslator requires the use of AcraConnector, a client-side daemon responsible for providing encrypted and authenticated connection between the application and AcraServer. AcraConnector runs under a separate user/in a separate container and acts as middleware. It accepts connections from the application, adds transport encryption layer using TLS or Themis Secure Session, sends data to AcraServer, receives the result, and sends it back to the application.

    AcraTranslator and AcraServer are fully independent server-side components and can be used together or separately depending on your infrastructure.

    Availability

    Client-side

    AcraWriter is a client-side library that encrypts data into a special binary format called AcraStruct. AcraWriter is available for Ruby, Python, Go, C++, NodeJS, iOS, Android/Java and PHP, but you can easily generate AcraStruct containers with Themis for any platform you want.

    Client platform Documentation and guides Examples Package manager
    🐹 Go Installation guide examples/golang
    🐍 Python Installation guide examples/python PyPI
    ♦️ Ruby Installation guide examples/ruby Gem
    C++ Installation guide examples/cpp
    📱 Objective-C / Swift (iOS) Installation guide examples/objc CocoaPods
    ☎️ Java (Android) Installation guide examples/android_java
    🐘 PHP Installation guide examples/php
    🍭 Javascript (NodeJS) Installation guide examples/nodejs npm

    Server-side

    Distributive Instruction set Download and install
    CentOS 7 x86_64 using rpm packages
    Debian Stretch (9)
    Debian Jessie (8)
    x86_64/i386 using deb packages
    Ubuntu Bionic (18.04) x86_64 using deb packages
    Ubuntu Artful (17.10)
    Ubuntu Xenial (16.04)
    Ubuntu Trusty (14.04)
    x86_64/i386 using deb packages

    Compatibility and integration

    AcraServer is a server-side service that works as database proxy: it sits transparently between your application and the database, listens silently to all the traffic that's coming to and from the database. AcraTranslator is database-agnostic: it provides HTTP and gRPC API to decrypt AcraStructs stored anywhere.

    Acra is compatible with numerous RDBMS, object and KV stores, cloud platforms, external key management systems (KMS), load balancing systems.

    Cloud platforms AWS, GCP, Heroku
    RDBMS MySQL v5.7+, PosgtreSQL v9.4-v11, MariaDB v10.3
    Google Cloud SQL, Amazon RDS
    Object stores filesystems, KV databases, Amazon S3, Google Cloud DataStore
    Load balancing HAProxy, cloud balancers

    Open source Acra has limited integration support, more services are available in the Enterprise version of Acra only.

    Installation and launch

    Quick try (run demo app)

    Acra Engineering Demo illustrates the integration of Acra data protection suite into existing applications: Django-based web application and Python CLI application. We took well-known applications and added the encryption layer. Protecting the data is completely transparent for the users and requires minimal changes in the infrastructure.

    Developers and Ops friendly:

    • run a single command to deploy the application, database, Acra's components, logs, and dashboards;
    • read the code changes and see how little it takes to integrate encryption into the client application;
    • learn how Acra works by reading logs, monitoring metrics in Prometheus, and watching Grafana dashboards;
    • inspect Docker-compose files, architecture schemes, database tables, and much more.

    Requirements: Linux or macOS terminal.

    ⚙️ Run Engineering Demo ⚙️

    Quick integration into your infrastructure

    For a quick and easy integration of Acra into your own infrastructure, we recommend trying Acra with Docker first. Using only two commands, you will get all the Acra's components and database up and running, with a secure transport layer between them. We prepared several typical infrastructure variants to experiment with.

    • Select one appropriate use case from the pre-made configurations ("Compose files"): use AcraServer-based configuration to protect the data in a database or select AcraTranslator to protect the files or any other binary blob stored elsewhere.
    • Launch Acra's server-side by running the selected docker-compose file: it will generate the appropriate keys, put them into correct folders, perform a public key exchange, run selected services and database, and then it will listen to the incoming connections.
    • Integrate AcraWriter into your application code where you need to protect the sensitive data, supply AcraWriter with an Acra storage public key (generated by docker-compose on the previous step). Encrypt the data into AcraStructs and send them into the database or file storage.
    • Decrypt data by reading the database through AcraServer or by decrypting the files through AcraTranslator.

    Please use the Acra Docker demo stand for testing/experimenting purposes only as the encryption keys are pre-generated in the configuration.

    Normal integration into your infrastructure

    For production environments, we insist on generating and exchanging keys manually and deploying Acra as Docker containers or from source code. Refer to the Quick Start guide to understand how to download and launch Acra components, generate keys, and perform key exchange properly.

    Documentation and tutorials

    The most recent version of the documentation, tutorials, and demos for Acra is available on the official Cossack Labs Documentation Server. The Github Wiki documentation is deprecated and no longer updated since v0.82.0.

    To gain an initial understanding of Acra, you might want to:

    Demo projects

    Django sample project RubyGems sample project

    Acra Load Balancing Demo (HAProxy-based infrastructures)

    Acra Load Balancing Demo illustrates building high availability and balanced infrastructure, based on Acra components, PostgreSQL, and Python web application. We prepared several configurations with mulltiple databases and HAProxy.

    🔛 Run Load Balancing Demo 🔛

    GDPR and HIPAA

    Acra can help you comply with GDPR and HIPAA regulations. Configuring and using Acra in a designated form will cover most of the demands described in articles 25, 32, 33, and 34 of GDPR and the PII data protection demands of HIPAA. Read more about Acra and GDPR compliance here.

    Open source vs Enterprise

    This open source version of Acra is free to use. Please let us know in the Issues if you stumble upon a bug, see a possible enhancement, or have a comment on security design.

    There’s the Enterprise version of Acra available. It provides better performance, redunancy/load balancing, comes pre-configured with crypto-primitives of your choice (FIPS, GOST), integrates with key/secret management tools in your stack, and has plenty of utils and tools for your Ops and SREs to operate Acra conveniently – deployment automation, scaling, monitoring, and logging. Talk to us to get a full feature list and a quote.

    Security consulting

    It takes more than just getting cryptographic code to compile to secure the sensitive data. Acra won't make you “compliant out of the box” with all the modern security regulations, and no other tool will.

    We help companies plan their data security strategy by auditing, assessing data flow, and classifying the data, enumerating the risks. We do the hardest, least-attended part of reaching the compliance – turning it from the “cost of doing business” into the “security framework that prevents risks”.

    Contributing to us

    If you’d like to contribute your code or provide any other kind of input to Acra, you’re very welcome. Your starting point for contributing is here.

    License

    Acra is licensed as Apache 2 open-source software.

    Contacts

    If you want to ask a technical question, feel free to raise an Issue or write to dev@cossacklabs.com.

    To talk to the business wing of Cossack Labs Limited, drop us an email to info@cossacklabs.com.

    Blog Twitter CossackLabs Medium CossackLabs