Introduction

This Use Case has been developed for JISA’s CryptoBind HSM (Network Security Module by JISA Powered by LiquidSecurity) product. JISA’s HSM can be used in database encryption solution to store encryption, decryption keys. Database Encryption is a method which uses an algorithm to transform data in an unreadable form i.e. cipher text which is not readable unless it is decrypted. Database Encryption is used to protect the data stored in a database from being accessed by unauthorized users or malicious users. Database Encryption turns the data in meaningless format which is of no use for hackers. Two best options for database encryption are encrypting at database column level or transparent database encryption (TDE).

Why to use CryptoBind HSM in this use case?

In database encryption, if an encryption key is stored in database can lead to unauthorized access to keys. Hence to prevent unauthorized decryption, database administrators must store the keys in an external module i.e. CryptoBind HSM. This helps to provide a highest level of security to encryption keys.

Use case flow

Column Level Encryption

CryptoBind HSM is configured with Database for data encryption. Generally, when data are being collected and stored as records, those records will appear in a tabular format in rows in the database with each rows logging specific attributes. Some data can be more sensitive than others, for example, data of birth, social security number, home address, etc., which can act as a personal identification. In order to ensure that this private information is secured, column level encryption is configured. In this scenario, database APIs are configured with database to generate master keys. Using master keys, data of particular column is encrypted. Column level encryption does not store the same encryption key like table encryption does but rather separate keys for each column.

Transparent Database Encryption

Use case of Transparent Encryption is shown in below figure where encryption keys are the secrets used in combination with an encryption algorithm to encrypt data. TDE first creates and use master key and one or more tablespace keys. The tablespace keys are encrypted using the master key. The master key is stored in CryptoBind HSM. CryptoBind KMS solution is integrated with HSM to manage key lifecycle. It enables organizations to use native encryption of Database,
Big data, Virtual Machines, etc. by providing KMIP based clients. In this, KMIP client’s keys can be managed in synchronization with KMS KMIP Server.