/ Security

Database protection suite with selective encryption and intrusion detection

Database protection suite with selective encryption and intrusion detection

acra

Database encryption proxy for data-driven apps: strong selective encryption, SQL injections prevention, intrusion detection, honeypots.

What is Acra

Acra — database security suite for sensitive and personal data protection.

Acra provides selective encryption, multi-layered access control, database leakage prevention, and intrusion detection capabilities in a convenient, developer-friendly package. Acra was specifically designed for web and mobile apps with centralised data storage, including with distributed, microservice-rich applications.

Perfect Acra-compatible applications Typical industries
Web and mobile apps that store data in a centralised database or object storage
  • Healthcare
  • Finance
  • E-commerce
  • Critical infrastructures
  • Apps with > 1000 users
IoT apps that collect telemetry and process data in cloud
High-load data processing apps

Acra gives you tools for encrypting the data on the application's side into special cryptographic containers, storing them in the database or file storage, and then decrypting them in a secure compartmented area (separate virtual machine/container).

Cryptographic design ensures that no secret (password, key, etc.) leaked from the application or database will be sufficient for decryption of the protected data chunks that originate from it. Acra minimises the leakage scope, detects unauthorised behavior, and prevents the leakage, informing operators of the incident underway.

Major security features

  • Cryptographic protection of data
  • during storage and transmission
  • Selective encryption
  • protect only the sensitive data to have both good security and performance
  • Key management tools
  • built-in tools for key distribution, key rotation, and compartmentalisation
  • Trust compartmentalisation
  • datastore and application components can be compromised, yet the data is protected
  • Prevention of SQL injections
  • through a built-in SQL firewall
  • Intrusion detection system
  • to give an early warning about suspicious behaviour
  • Running SQL queries over encrypted data
  • coming in the (near) future releases
  • Pseudonymisation
  • Cryptographically protected audit log
  • Developer and DevOps friendly

  • Secure default settings
  • your infrastructure is secure from the start without additional configuring
  • Cryptography is hidden
    under the hood
  • no risk of selecting the wrong key length or algorithm padding
  • Automation-friendly
  • easy to configure and automate
  • Quick infrastructure integration
  • via binary packages or Docker images
  • Easy client code integration
  • client-side encryption libraries support ~10 languages
  • Logging, metrics, tracing
  • throughout all Acra components;
    compatible with ELK stack, Prometheus, Jaeger
  • No vendor lock
  • rollback utilities to decrypt database into plaintext
  • Demos and simulators
  • numerous web-based and Docker-based demo projects

    Cryptography

    Acra relies on our cryptographic library Themis, which implements high-level cryptosystems based on the best available open-source implementations of the most reliable ciphers. Acra strictly doesn't contain self-made cryptographic primitives or obscure ciphers. To deliver its unique guarantees, Acra relies on the combination of well-known ciphers and smart key management scheme.

    Default crypto-primitive source OpenSSL
    Supported crypto-primitive sources ᵉ BoringSSL, LibreSSL, FIPS-compliant, GOST-compliant, HSM
    Storage encryption AES-256-GCM + ECDH
    Transport encryption TLS v1.2+ / Themis Secure Session
    KMS integration ᵉ Amazon KMS, Google Cloud Platform KMS, Hashicorp Vault, Keywhiz

    ᵉ — available in the Enterprise version of Acra only. Drop us an email to get a full list of features and a quote.

    Try Acra without writing code

    Acra Live Demo (see Acra in action in one click)

    Acra Live Demo is a web-based demo of protecting data in a typical web-infrastructure (deployed on our servers for your convenience).

    Acra Live Demo infrastructure contains: Django-based application, PostgreSQL database, AcraServer with AcraCensor, log monitor. Sensitive data is encrypted in a Django application, stored in a database, and decrypted through Acra.

    From the users' perspective, the website's work is unchanged. However, the data is securely protected so that even hacking the web application won't lead to data leakage.

    The available actions include:

    Requirements: Chrome, Firefox, or Safari browser.

    Note: We create separate playground for each user, that's why we ask for your email; you'll receive the invitation link.

    🖥 Request Acra Live Demo 🖥

    How does Acra work?

    To better understand the architecture and data flow in Acra, please refer to the Architecture and data flow section in the documentation.

    Protecting data in SQL databases using AcraWriter and AcraServer

    Acra Server: simplified architecture

    This is what the process of encryption and decryption of data in a database looks like:

    • Your application encrypts some data through AcraWriter by generating an AcraStruct using Acra storage public key and then updates the database. AcraStructs generated by AcraWriter can't be decrypted by it — only the Acra's server side has the keys for decryption.
    • To retrieve the decrypted data, your application talks to AcraServer. It is a server-side service that works as database proxy: it sits transparently between your application and the database and listens silently to all the traffic that's coming to and from the database.
    • AcraServer monitors the incoming SQL requests and blocks the unwanted ones using the built-in configurable firewall called AcraCensor. AcraServer only sends allowed requests to the database. Certain configurations for AcraServer can be adjusted remotely using AcraWebConfig web server.
    • Upon receiving the database response, AcraServer tries to detect the AcraStructs, decrypts them, and returns the decrypted data to the application.
    • AcraConnector is a client-side daemon responsible for providing encrypted and authenticated connection between the application and AcraServer. AcraConnector runs under a separate user/in a separate container and acts as middleware. AcraConnector accepts connections from the application, adds an extra transport encryption layer using TLS or Themis Secure Session, sends the data to AcraServer, receives the result, and sends it back to the application.

    Protecting data in any file storage using AcraWriter and AcraTranslator

    Acra Translator: simplified architecture

    In some use cases, the application can store encrypted data as separate blobs (files that are not in a database, i.e. in a S3 bucket, local file storage, etc.). In this case, you can use AcraTranslator — a lightweight server that receives AcraStructs and returns the decrypted data.

    This is what the process of encryption and decryption of data using AcraTranslator looks like:

    • Your application encrypts some data using AcraWriter, generating an AcraStruct using Acra storage public key and puts the data into any file storage. AcraStructs generated by AcraWriter can't be decrypted by it — only the Acra's server side has the right keys for decrypting it.
    • To decrypt an AcraStruct, your application sends it to AcraTranslator as a binary blob via HTTP or gRPC API. AcraTranslator doesn’t care about the source of the data, it is responsible for holding all the secrets required for data decryption and for actually decrypting the data.
    • AcraTranslator decrypts AcraStructs and returns the decrypted data to the application.
    • To avoid sending plaintext via an unsecured channel, AcraTranslator requires the use of AcraConnector, a client-side daemon responsible for providing encrypted and authenticated connection between the application and AcraServer. AcraConnector runs under a separate user/in a separate container and acts as middleware. It accepts connections from the application, adds transport encryption layer using TLS or Themis Secure Session, sends data to AcraServer, receives the result, and sends it back to the application.

    AcraTranslator and AcraServer are fully independent server-side components and can be used together or separately depending on your infrastructure.

    GitHub