Database encryption proxy for data-driven apps: strong selective encryption, SQL injections prevention, intrusion detection, honeypots.
What is Acra
Acra — database security suite for sensitive and personal data protection.
Acra provides selective encryption, multi-layered access control, database leakage prevention, and intrusion detection capabilities in a convenient, developer-friendly package. Acra was specifically designed for web and mobile apps with centralised data storage, including with distributed, microservice-rich applications.
|Perfect Acra-compatible applications||Typical industries|
|Web and mobile apps that store data in a centralised database or object storage||
|IoT apps that collect telemetry and process data in cloud|
|High-load data processing apps|
Acra gives you tools for encrypting the data on the application's side into special cryptographic containers, storing them in the database or file storage, and then decrypting them in a secure compartmented area (separate virtual machine/container).
Cryptographic design ensures that no secret (password, key, etc.) leaked from the application or database will be sufficient for decryption of the protected data chunks that originate from it. Acra minimises the leakage scope, detects unauthorised behavior, and prevents the leakage, informing operators of the incident underway.
Major security features
|during storage and transmission|
|protect only the sensitive data to have both good security and performance|
|built-in tools for key distribution, key rotation, and compartmentalisation|
|datastore and application components can be compromised, yet the data is protected|
|through a built-in SQL firewall|
|to give an early warning about suspicious behaviour|
|coming in the (near) future releases|
Developer and DevOps friendly
|your infrastructure is secure from the start without additional configuring|
under the hood
|no risk of selecting the wrong key length or algorithm padding|
|easy to configure and automate|
|via binary packages or Docker images|
|client-side encryption libraries support ~10 languages|
| throughout all Acra components;|
compatible with ELK stack, Prometheus, Jaeger
|rollback utilities to decrypt database into plaintext|
|numerous web-based and Docker-based demo projects|
Acra relies on our cryptographic library Themis, which implements high-level cryptosystems based on the best available open-source implementations of the most reliable ciphers. Acra strictly doesn't contain self-made cryptographic primitives or obscure ciphers. To deliver its unique guarantees, Acra relies on the combination of well-known ciphers and smart key management scheme.
|Default crypto-primitive source||OpenSSL|
|Supported crypto-primitive sources ᵉ||BoringSSL, LibreSSL, FIPS-compliant, GOST-compliant, HSM|
|Storage encryption||AES-256-GCM + ECDH|
|Transport encryption||TLS v1.2+ / Themis Secure Session|
|KMS integration ᵉ||Amazon KMS, Google Cloud Platform KMS, Hashicorp Vault, Keywhiz|
Try Acra without writing code
Acra Live Demo (see Acra in action in one click)
Acra Live Demo is a web-based demo of protecting data in a typical web-infrastructure (deployed on our servers for your convenience).Acra Live Demo infrastructure contains: Django-based application, PostgreSQL database, AcraServer with AcraCensor, log monitor. Sensitive data is encrypted in a Django application, stored in a database, and decrypted through Acra.
From the users' perspective, the website's work is unchanged. However, the data is securely protected so that even hacking the web application won't lead to data leakage.
The available actions include:
- adding new rows to the database (in plaintext and encrypted form);
- watching the database content change in real-time;
- running malicious SQL queries that will be blocked by AcraCensor;
- rolling back the encrypted data;
- intrusion detection.
Requirements: Chrome, Firefox, or Safari browser.
Note: We create separate playground for each user, that's why we ask for your email; you'll receive the invitation link.
|? Request Acra Live Demo ?|
How does Acra work?
To better understand the architecture and data flow in Acra, please refer to the Architecture and data flow section in the documentation.
Protecting data in SQL databases using AcraWriter and AcraServer
This is what the process of encryption and decryption of data in a database looks like:
- Your application encrypts some data through AcraWriter by generating an AcraStruct using Acra storage public key and then updates the database. AcraStructs generated by AcraWriter can't be decrypted by it — only the Acra's server side has the keys for decryption.
- To retrieve the decrypted data, your application talks to AcraServer. It is a server-side service that works as database proxy: it sits transparently between your application and the database and listens silently to all the traffic that's coming to and from the database.
- AcraServer monitors the incoming SQL requests and blocks the unwanted ones using the built-in configurable firewall called AcraCensor. AcraServer only sends allowed requests to the database. Certain configurations for AcraServer can be adjusted remotely using AcraWebConfig web server.
- Upon receiving the database response, AcraServer tries to detect the AcraStructs, decrypts them, and returns the decrypted data to the application.
- AcraConnector is a client-side daemon responsible for providing encrypted and authenticated connection between the application and AcraServer. AcraConnector runs under a separate user/in a separate container and acts as middleware. AcraConnector accepts connections from the application, adds an extra transport encryption layer using TLS or Themis Secure Session, sends the data to AcraServer, receives the result, and sends it back to the application.
Protecting data in any file storage using AcraWriter and AcraTranslator
In some use cases, the application can store encrypted data as separate blobs (files that are not in a database, i.e. in a S3 bucket, local file storage, etc.). In this case, you can use AcraTranslator — a lightweight server that receives AcraStructs and returns the decrypted data.
This is what the process of encryption and decryption of data using AcraTranslator looks like:
- Your application encrypts some data using AcraWriter, generating an AcraStruct using Acra storage public key and puts the data into any file storage. AcraStructs generated by AcraWriter can't be decrypted by it — only the Acra's server side has the right keys for decrypting it.
- To decrypt an AcraStruct, your application sends it to AcraTranslator as a binary blob via HTTP or gRPC API. AcraTranslator doesn’t care about the source of the data, it is responsible for holding all the secrets required for data decryption and for actually decrypting the data.
- AcraTranslator decrypts AcraStructs and returns the decrypted data to the application.
- To avoid sending plaintext via an unsecured channel, AcraTranslator requires the use of AcraConnector, a client-side daemon responsible for providing encrypted and authenticated connection between the application and AcraServer. AcraConnector runs under a separate user/in a separate container and acts as middleware. It accepts connections from the application, adds transport encryption layer using TLS or Themis Secure Session, sends data to AcraServer, receives the result, and sends it back to the application.
AcraTranslator and AcraServer are fully independent server-side components and can be used together or separately depending on your infrastructure.