Hands on with Baffle Data Protection Service

The following guide will walk you through the process of enabling classic application encryption using BaffleManager. Classic application is the simplest way to protect your application data and works well for protecting personally identifiable information (PII) that is used in equality searches and joins, but not used in computations.

Prerequisites

To get started, please be sure to make sure that the security groups or firewall policies are configures to allow for communication between the administrator machine, BaffleManager, applications, and databases. BaffleManager communicates with administrator machine via port port 22 (SSH) and HTTPS port 443. It communicates with databases and applications via port 22 (SSH) and port 8443 (HTTPS).

Enroll the application database

BaffleManager becomes aware of databases in your IT environment after you enroll them. To do so:

  1. Click on the tab labeled “Databases”.
  2. Look for the “+” button labeled “Enroll Database” and click on it.
  3. Provide the information requested and click the “Enroll Database” button.
    • Database Name – A name for you to use when referencing the database in BaffleManager going forward.
    • Database Description – Details or notes about the database that helps identify the database in case the name doesn’t provide sufficient identification.
    • Database Type – The type of database. (Note: for the evaluation release this is limited to MySQL or MySQL-RDS which support MySQL version 5.7).
    • Hostname/IP Address – The hostname or IP address of the database. (Note: For RDS databases, the DB hostname must be used).
    • Host Username – An OS username that can be used by BaffleManager to connect to the database host machine. This user must have sudo privileges.
    • Host Credential – Password for the OS user used by BaffleManager to connect to the database host machine.
    • Database Username – A database username that can be used by BaffleManager to connect to the database server for monitoring purposes.
    • Database Credential – Password for the database user used by BaffleManager to connect to the database.

Enroll the application

BaffleManager becomes aware of the applications in your IT environment after you enroll them. To do so:

  1. Click on the tab labeled “Applications”.
  2. Look for the “+” button labeled “Enroll Application” and click on it.
  3. Provide the information requested and click the “Enroll Application” button.
    • Application Name – A name for you to use when referencing the application in BaffleManager going forward.
    • Application Description – Details or notes about the Application that helps identify the database in case the name doesn’t provide sufficient identification.
    • Hostname/IP Address – The hostname or IP address of the database. (Note: For applications running on EC2 instances in AWS, hostname must be used).
    • Host Username – An OS username that can be used by BaffleManager to connect to the application host machine. This user must have sudo privileges.
    • Host Credential – Password for the OS user used by BaffleManager to connect to the application host machine.
    • Application DB Name – Select the database used by the application from the drop-down menu. It should have already be enrolled previously.
    • Application DB Username – The database username used by the application to connect to the database server.
    • Application DB Credential – Password for the database user used by the application to connect to the database.

Enable application encryption

After enrolling the application, you should see the application listed in the “Applications” view. To enable encryption for data columns:

  1. Click on the application you just enrolled to expand the application details region and click the “Application Encryption” button.
  2. When given the option choose to enable application encryption. BaffleManager will then contact the application database and display a list of databases, tables, and columns the application can access.
  3. Click on the database, then the table and then to column or columns you wish to encrypt. A check mark should appear next to the column.
  4. Click on the “Enable Encryption” button and a confirmation dialogue box should appear.
  5. Click on “Proceed” and BaffleManager will go through the process of migrating any existing data on the database and enabling encryption for all new data sent to the database.

Test it out

You can validate your data is encrypted by connecting directly to the application database as any user with access to the table and selecting from the encrypted column. Instead of the original data values, you should see only encrypted values.

To see actual (unencrypted) data values as if you are an application, connect to the BaffleShield on the application host on port 8444 (this port is configurable). You’ll see that data access through BaffleShield appears exactly as before prior to encryption.