Encryption at Rest
This page discusses how to deploy Stardog securely by configuring encryption at rest.
Native encryption at rest is deprecated and will be removed in Stardog 9. We recommend using an encrypted file system if you require the data stored by Stardog to be encrypted at rest.
Stardog 7.4.1 contains a preview version of encryption at rest. This feature uses AES 256 bit encryption for writing data to disk. The encryption support requires the user’s environment to include the openssl libcrypto library. This library is available and tested for both Linux and OSX operating environments. See How to Install librycrypto for installation information. Windows is not currently supported.
When encryptions-at-rest is enabled customer data is written to disk only after it is encrypted by a
data key. Data keys are AES 256 bit keys that are generated and managed by Stardog upon the users request. A new data key can be requested with the
encryption new-key command in the following way:
$ stardog-admin encryption new-key <key name>
If a data key did not already exist
encryption new-key will create one. If one did exist it will create a new one and mark it for use with future data. All previously encrypted data will be left as is and thus the old key will remain in the Stardog for use with the data that it encrypted.
At any time data encryption can be disabled with the following command:
$ stardog-admin encryption disable
Note that this will only stop data that is added in the future from being encrypted. All of the data that was previously added will remain encrypted by the key that was active at the time of its insertion into Stardog.
While data keys are a secure means of encrypting the data that is inserted into Stardog the keys themselves are not encrypted and are thus they are secrets fully know to and managed by Stardog. To overcome this Stardog encourages users to associate a password with their encryption keys. This can be done with the following command:
$ stardog-admin encryption set-password
An encryption password can be changed and disabled at any time with the following commands:
$ stardog-admin encryption change-password $ stardog-admin encryption remove-password
Stardog does not retain this password nor does it provide a means to reset it. If you use an encryption password you must remember it.
Start encrypting data by adding a new key:
$ stardog-admin encryption new-key first-key $ stardog-admin encryption list-keys first-key : 34A6B1DD7C1EA00540C4C0B22A445D2A7C6CE46577BA670BEE942E1BEEB07031
At this point any incoming data will be encrypted with the key named
first-key. However the key itself is not encrypted and thus we want to add an encryption password with the following command:
$ stardog-admin encryption set-password Password: Password:
Now the data keys are all encrypted and thus to access them we will require that same password. The
-R option tells the
stardog-admin command to ask for the password:
$ stardog-admin encryption list-keys -R Current Password: first-key : CE1991DC7F8AC3D25EFFE992CDEF91017E86175D408D39FEC0F7D3933DD4D4A1
Now we will add a new key:
$ stardog-admin encryption new-key next-key Invalid argument: The passphrase did not unlock the database
In this case we get an error because we failed to provide the now needed password which we will do now with the
$ stardog-admin encryption new-key next-key -R Current Password: $ stardog-admin encryption list-keys -R Current Password: next-key : 0713B222DF761A53DB015DA6D5CE973B2879941C737201C499CB7E41BAE65FD3 first-key : CE1991DC7F8AC3D25EFFE992CDEF91017E86175D408D39FEC0F7D3933DD4D4A1
If we wish to now disable data encryption for all future writes we can do so with the following command:
$ stardog-admin encryption disable -R Current Password: $ stardog-admin encryption list-keys -R Current Password: Disable write : next-key : 0713B222DF761A53DB015DA6D5CE973B2879941C737201C499CB7E41BAE65FD3 first-key : CE1991DC7F8AC3D25EFFE992CDEF91017E86175D408D39FEC0F7D3933DD4D4A1
Disable write is listed as the current key. This means that incoming data will not be encrypted.
Additional Security Notes
- network communications: The stardog-admin program communicates passwords and passphrases to the server via HTTP headers. These network communications are vulnerable to copy and replay. The use of SSL communications via
--require-sslis strongly recommended.
How to install libcrypto
Future encryption features
- encryption of temporary files created during large imports: Stardog often creates “spill files” when ingesting data in bulk. The files are temporary in nature. During the time the files exist on disk an outsider could copy files to gain access to the unprotected data. This vulnerability will be addressed.
- user configuration properties: the feature preview supports only one possible encryption library and only one of the library’s supported encryption algorithms. These parameters and others identified by users of the feature preview will become configurable properties in a future release.