Baffle Data Protection Services on AWS
Getting Started with Baffle Data Protection Services
This guide provides a walkthrough for getting started with Baffle Data Protection Services in AWS. It describes Baffle Manager and Baffle Shield system requirements and architecture, followed by configuration steps to set up Baffle’s column level encryption. The configuration steps are divided into five main sections:
1. Configure Baffle Manager — the administrative console (page 6)
2. Connect to your Keystore — the source for encryption keys (page 11)
3. Connect to your data store (page 13)
4. Configure a Baffle Shield — the encryption machine (page 15)
5. Define a data protection policy to encrypt your chosen fields (page 18)
Baffle Data Protection Services provide a range of data encryption, tokenization and de-identification methods to protect data in data stores and cloud storage environments. Common methods that Baffle employs include column or field level encryption, tokenization, format preserving encryption (FPE), dynamic data masking, and record level encryption.
Baffle integrates with key management stores via a key virtualization layer. It can also provide its own local key store, for customers to use their own keys to apply data protection in the cloud.
Pre-Requisites and Minimum System Requirements
Whether you use Baffle Professional Services to perform your deployment testing, or your organization does so independently as part of planning, ensure that your test environment meets the following minimum system requirements.
Baffle Architecture and Communication
Baffle Manager enables encryption policies and configurations by communicating with the Baffle Shield and your databases. Baffle Manager constructs a privacy schema that maps key IDs to data columns, thus enabling encryption in a simplified manner.
The following table lists the ports that must allow connections in order for Baffle Manager to communicate.
Configuration Walkthrough (AWS)
Section 1. Launch and configure the Baffle Manager AMI from AWS Marketplace
1. Search for Baffle in the AWS Marketplace, or click the following link to begin setup – Baffle Data Protection Services.
2. Launch an EC2 instance for Baffle Manager with the following settings.
A. Create a new security group on the VPC based on ‘seller settings’. This configuration opens the necessary ports for Baffle Manager. Set the range of IP addresses that will be permitted access.
B. Ensure you have saved the selected key pair to access the Baffle Manager.
3. Once the instance is running, connect to it with a web browser via HTTPS. Use the public IP address of the instance. For example, https://192.168.1.1 as an address.
If you are unable to connect to the instance via HTTPS, check your security group inbound rules. Also ensure that your instance has finished initializing. Because the instance is bootstrapped with a self-signed certificate, you will receive an invalid CA warning. Select the browser option to “proceed”. (You will have the opportunity to upload and use your organization’s certificate later in this section.) The following window should appear:
This indicates that the Baffle Manager is in a locked state.
4. To unlock the Baffle Manager, access the system via SSH. Use “baffle” as the username for the SSH connection, followed by the public IP address (for example, [email protected]). You will also need the key pair file that you selected when you launched the instance.
5. Once you have connected to the instance via SSH, issue the following command to retrieve the unlock code.
sudo more /opt/baffle/baffle-manager/initpass
6. In your browser, paste the unlock code into the password field and click CONTINUE.
7. Configure System Settings. You will be prompted for hostname and domain settings. All system users must have this domain name as part of this email going forward.
9. Create Admin Account. The screen below prompts you to create the initial Baffle Manager administrator account. This account is used to configure the subsequent components such as the key management store, data store connections, and Baffle Shields.
10. Configure Credential Keystore. This configuration screen establishes an encrypted credential store for any system access credential or access key that the Baffle Manager or Baffle Shield utilize. The default name is “baffle_credential_store” and cannot be changed.
Select LOCAL for Keystore type. For Secret Key, enter any random string which will be used to generate a random key to encrypt the Keystore Config Password. For Config Password, enter a secure password or passphrase to secure the actual keystore.
Section 2. Connect to a Keystore
Before you can enroll your applications, add databases and enable encryption, you must enroll your Keystore so that Baffle Manager can access and/or create data encryption keys (DEKs) that will be used to protect your data.
Baffle Data Protection Services supports various Keystore vendors using industry standard protocols such as KMIP, PKCS#11, and REST APIs. Follow the steps below to enroll a Keystore for use with Baffle Shields and databases.
1. Display a list of configured keystores. After logging into Baffle Manager, click the key icon on the left hand navigation panel. If this is the first time you are enrolling a Keystore, there will only exist the “baffle_credential_store” that was created in the previous section.
Click on the +KEYSTORE button in the top right corner to add a new Keystore.
2. Enter a Keystore name and description.
3. Specify the Keystore Type from the dropdown menu and enter respective parameters for the Keystore selected.
Keystore parameters are specific to the Keystore type or vendor.
4. When completed, click on “Add Keystore”.
Example of a Local Keystore configuration:
Example of an AWS KMS configuration:
Section 3. Connect to a Data Store
1. Display the list of configured databases. Click on the database icon on the left hand navigation panel to display a list of configured databases.
2. Enroll a database. Click on the +DATABASE button to add a Data Store. Enter a database name and description.
A. Specify the database type. Then enter the hostname or IP and port of the database. Default database ports are found on page 5.
B. Enter the database user credentials. It is recommended that you create a new user on your database for use with Baffle. See Appendix A (page 26) for details.
C. Select Use SSL to enable an SSL/TLS connection to the database.
To allow users on your database with less privileges to access the encrypted data, see Appendix B (page 27).
Below is an example of a Microsoft SQL Server configuration.
3. Click Add Database to complete enrollment. The new database should be listed along with the other configured databases as shown below.
Section 4. Launch and Configure a Baffle Shield AMI
This section walks through the installation and configuration of a Baffle Shield. The Shield will be used to enforce a Data Protection Policy, encrypting the data in the databases that were configured in the previous section.
1. Configure an AMI instance to run the Baffle Shield.
A. Launch a new AMI instance from EC2 that is appropriately sized for your environment. Run the AMI with a CentOS 7 operating system.
B. Issue the following bootstrap commands in the Advanced Details section during the instance setup process.
C. Ensure the security group for your Baffle Shield allows inbound connections from Baffle Manager (on port 22) and from your own IP address (on port 8444 by default).
D. Once you complete the setup process, allow the instance a few minutes to initialize.
2. Connect the Baffle Shield to Baffle Manager. Once the instance is running, return to your Baffle Manager admin interface. Click on the shield icon on the left hand navigation panel. This will display a list of connected Baffle Shields. Click on the +BAFFLE SHIELD button in the upper right hand corner.
3. Configure Baffle Shield. Enter a name and description.
A. Select “Automated Deployment” for Deployment Model.
B. Enter the Host Username “centos” to access the Baffle Shield EC2 Instance.
C. Enter the IP Address of the Baffle Shield you have just launched. If your Shield runs in the same VPC as your Baffle Manager instance, it is recommended that you use the private IP address here.
D. Enter a port number that the Baffle Shield will use to listen for application connections. The default port is 8444.
E. Select “Use SSL” if the data store connection uses SSL.
F. Select “Use SSH Key” and upload the key that you selected when you set up the Shield instance.
G. Optionally, a username and password can be used to access the Baffle Shield.
4. Click Add Baffle Shield to complete the process. The new Shield will be added to the list of configured Baffle Shields.
If the Baffle Manager is unable to connect to the shield, ensure that your Shield’s security group permits inbound access from Baffle Manager.
Section 5. Define a Data Protection Policy and Encrypt your Data
Now, all the components of Baffle’s Advanced Data Protection have been established. This section brings these components together, creating an application to execute a Data Protection Policy. The policy selects columns for encryption and keys that will be used for the encryption process. Upon completion of the Data Protection Policy, you can migrate data through a Baffle Shield and encrypt the existing data in your data store. The creation of a Data Protection Policy establishes a Privacy Schema that Baffle Shields use to present the original data schema to a respective application while handling the encrypt and decrypt operations transparently for the configured fields.
1. Add an Application to create a Data Protection Policy. Click on the Applications Icon in the left hand navigation panel. The defined Data Protection Policies are displayed as Applications. Click on +APPLICATION.
2. Enroll Application. Enter a name and description.
A. Choose the Baffle Shield from the drop down that was configured in the previous section.
B. Select the Data Store which you will encrypt.
C. Select the Keystore to be used as a source for data encryption keys.
D. Specify the operational mode for the Baffle Shied. Leave Workload Capture Off, unless profiling an application.
E. Specify Column Level for the Encryption Method.
F. Click Enroll Application.
Below is an example of enrolling an application and deploying a Data Protection Policy for a MySQL database.
3. The Applications page now displays the new application.
6. Select the database and table you wish to encrypt.
7. Select columns for encryption and the respective encryption mode.
8. Optional: Specify Key IDs for use to encrypt specific columns. Scroll to the right on the column selector and add more keys by clicking (+). The default value for Key ID is 2. Available Key IDs will be displayed in the Key ID dropdown menu for each column.
9. Click NEXT to proceed. Under Deployment Plan, select Deploy Policy & Migrate Data to save and deploy the policy you have just configured, and to migrate the existing data in the columns you selected. Alternatively, you may simply save the policy to edit it later, or deploy the policy without migrating existing data.
A. Select the option to Clean Temp Tables so the Baffle Shield deletes the temporary tables it will use to carry out encryption.
B. Click SAVE to complete policy creation and execute the policy.
10. The Applications list now indicates the data migration is in progress. If migration does not initiate, you may have to configure your database user privileges. See Appendix A (page 26).
11. To Decrypt data, click on the application again, and select DECRYPT from the dropdown menu. The Policy Builder will re-open. Select the columns which you would like to decrypt and click NEXT to proceed. Only the columns that you have previously encrypted will be available to decrypt.
You have now completed configuration of the Baffle Manager, Baffle Shield and created a Data Protection Policy to protect your data.
To confirm your data is encrypted, access the database normally with your SQL client. You should find the columns you selected are now encrypted.
To view the columns in the clear, use your SQL client to connect to the Baffle Shield. Connect using the public IP address of the Shield, port 8444, and the credentials for the database user you submitted in section 3, step 2b. Access the encrypted tables, and you should find the columns are visible.
Appendix A: Database Privileges for encryption and migration
In order to carry out encryption and migration, Baffle Shield requires certain user permissions on the database. It is recommended that you create a new user on your database for Baffle Shield to use, rather than assign your database administrator.
Use your SQL client to issue the following grants. Enter the credentials of this new user in section 3, step 2b, so that Baffle Shield has full privileges to encrypt and decrypt the data you select.
1. To create a new user:
A. create user '<baffle user>'@'%';
B. set password for '<baffle user>' = password('<password>');
2. To grant the requisite permissions:
A. GRANT USAGE ON *.* TO '<baffle user>'@'%';
B. GRANT ALL PRIVILEGES ON shadow_information_schema.* TO '<baffle user>'@'%';
C. GRANT ALL PRIVILEGES ON <target database>.* TO '<baffle user>'@'%' WITH GRANT OPTION;
Repeat step c for each database you wish to encrypt. When completed, Baffle Shield has the necessary permissions in order to carry out encryption and migration. Use the credentials of the user specified here.
Appendix B: Minimum Required Database Privileges
These are the minimum required grants for users on your database who need the least access privileges. Use your SQL client to issue the following commands with your admin user. These grants permit the restricted-access user to obtain only the data you specify.
For MySQL and Aurora databases:
1. Issue the following commands.
A. GRANT USAGE ON *.* TO '<username>'@'%';
B. GRANT ALL PRIVILEGES ON shadow_information_schema.* TO '<username>'@'%';
C. GRANT SELECT ON <target database>.<target table> TO '<username>'@'%';
Repeat step C for each table you wish to make accessible to the user. When completed, you may connect to the Baffle Shield proxy with this user.
D. To confirm user privileges, use: show grants;
2. OPTIONAL: some databases may require additional information from the user. Take the hash of the user’s password with the following:
A. SELECT PASSWORD ('<user password>');
Insert the hash back into the expressions:
B. GRANT USAGE ON *.* TO '<username>'@'%' IDENTIFIED BY PASSWORD '<password hash>';
C. GRANT ALL PRIVILEGES ON shadow_information_schema.* TO '<username>'@'%' IDENTIFIED BY PASSWORD '<password hash>';
D. GRANT SELECT ON <target database>.<target table> TO '<username>'@'%' IDENTIFIED BY PASSWORD '<password hash>';
As before, repeat step D for each table you have selected.