Link Search Menu Expand Document
Start for Free

Encryption at Rest

This page discusses how to deploy Stardog securely by configuring encryption at rest.

Native encryption at rest is deprecated and will be removed in Stardog 9. We recommend using an encrypted file system if you require the data stored by Stardog to be encrypted at rest.

Page Contents
  1. Data Keys
  2. Encryption Password
  3. Example Session
  4. Additional Security Notes
  5. How to install libcrypto
  6. Future encryption features

Stardog 7.4.1 contains a preview version of encryption at rest. This feature uses AES 256 bit encryption for writing data to disk. The encryption support requires the user’s environment to include the openssl libcrypto library. This library is available and tested for both Linux and OSX operating environments. See How to Install librycrypto for installation information. Windows is not currently supported.

Data Keys

When encryption at rest is enabled customer data is written to disk only after it is encrypted by a data key. Data keys are AES 256 bit keys that are generated and managed by Stardog upon the users request. A new data key can be requested with the encryption new-key command in the following way:

$ stardog-admin encryption new-key <key name>

If a data key did not already exist encryption new-key will create one. If one did exist it will create a new one and mark it for use with future data. All previously encrypted data will be left as is and thus the old key will remain in the Stardog for use with the data that it encrypted.

At any time data encryption can be disabled with the following command:

$ stardog-admin encryption disable

Note that this will only stop data that is added in the future from being encrypted. All of the data that was previously added will remain encrypted by the key that was active at the time of its insertion into Stardog.

Encryption Password

While data keys are a secure means of encrypting the data that is inserted into Stardog the keys themselves are not encrypted and are thus they are secrets fully know to and managed by Stardog. To overcome this Stardog encourages users to associate a password with their encryption keys. This can be done with the following command:

$ stardog-admin encryption set-password

An encryption password can be changed and disabled at any time with the following commands:

$ stardog-admin encryption change-password
$ stardog-admin encryption remove-password

Stardog does not retain this password nor does it provide a means to reset it. If you use an encryption password you must remember it.

Example Session

Start encrypting data by adding a new key:

$ stardog-admin encryption new-key first-key
$ stardog-admin encryption list-keys
first-key : 34A6B1DD7C1EA00540C4C0B22A445D2A7C6CE46577BA670BEE942E1BEEB07031

At this point any incoming data will be encrypted with the key named first-key. However the key itself is not encrypted and thus we want to add an encryption password with the following command:

$ stardog-admin encryption set-password
Password:
Password:

Now the data keys are all encrypted and thus to access them we will require that same password. The -R option tells the stardog-admin command to ask for the password:

$ stardog-admin encryption list-keys -R
Current Password:
first-key : CE1991DC7F8AC3D25EFFE992CDEF91017E86175D408D39FEC0F7D3933DD4D4A1

Now we will add a new key:

$ stardog-admin encryption new-key next-key
Invalid argument: The passphrase did not unlock the database

In this case we get an error because we failed to provide the now needed password which we will do now with the -R option:

$ stardog-admin encryption new-key next-key -R
Current Password:
$ stardog-admin encryption list-keys -R
Current Password:
next-key : 0713B222DF761A53DB015DA6D5CE973B2879941C737201C499CB7E41BAE65FD3
first-key : CE1991DC7F8AC3D25EFFE992CDEF91017E86175D408D39FEC0F7D3933DD4D4A1

If we wish to now disable data encryption for all future writes we can do so with the following command:

$ stardog-admin encryption disable -R
Current Password:
$ stardog-admin encryption list-keys -R
Current Password:
Disable write :
next-key : 0713B222DF761A53DB015DA6D5CE973B2879941C737201C499CB7E41BAE65FD3
first-key : CE1991DC7F8AC3D25EFFE992CDEF91017E86175D408D39FEC0F7D3933DD4D4A1

Notice that Disable write is listed as the current key. This means that incoming data will not be encrypted.

Additional Security Notes

  • network communications: The stardog-admin program communicates passwords and passphrases to the server via HTTP headers. These network communications are vulnerable to copy and replay. The use of SSL communications via --require-ssl is strongly recommended.

How to install libcrypto

  • brew install openssl
    
  • sudo apt-get install openssl
    
  • sudo yum install openssl
    

Future encryption features

  • encryption of temporary files created during large imports: Stardog often creates “spill files” when ingesting data in bulk. The files are temporary in nature. During the time the files exist on disk an outsider could copy files to gain access to the unprotected data. This vulnerability will be addressed.
  • user configuration properties: the feature preview supports only one possible encryption library and only one of the library’s supported encryption algorithms. These parameters and others identified by users of the feature preview will become configurable properties in a future release.