After data is encrypted, unauthorized database administrators (DBAs) can only view ciphertext data and cannot perform O&M operations on the ciphertext data. An always-confidential database allows DBAs who are granted required permissions by using a behavior control list (BCL) to perform O&M operations on ciphertext data. An always-confidential database also provides data masking to prevent DBAs from accessing sensitive information in plaintext during confidential O&M.
Scenarios
For example, you accidentally delete personal data in a database. After you submit a ticket, a DBA can perform data tracking to restore the deleted data. In most cases, the DBA checks whether the data is successfully restored by way of data sampling. However, if the restored data is encrypted, the DBA cannot check whether the restored data is consistent with the original data.
If the DBA does not have the permissions to perform confidential O&M operations, the DBA cannot decrypt the encrypted data.
If the DBA is granted required permissions by using a BCL, the DBA can access the masked plaintext data. The masked plaintext can be used to verify data accuracy without exposing sensitive data.
Example
The following section uses a table named person for which privacy protection is provided as an example to describe confidential O&M and data masking. Before your operation, configure related settings as described in Privacy protection.
A DBA is not granted the required permissions from the data department. As a result, the DBA cannot view data, and privacy data is protected.
NoteRevoke the permissions that are granted for privacy protection.
Execute the following statement as the
ins_datauser.
SELECT encdb.decrypt(id) FROM person; WARNING: -- encdb -- -- Untrusted log -- 4 - src/core/untrusted/src/encdb_untrusted_enclave.cpp,256,encdb_ecall: Select BCL (subject_mekid: 178079820457738240, issuer_mekid: 178079820457738240) from table fail - returned 0xfa030000 ERROR: encdb_ext_enc_text_decrypt: enc_text decrypt errno:fa030000The data department grants the DBA the permissions to view the masked data.
# Configure and issue a BCL to update the authorization scope, including the group ID, for the data encryption key (DEK). ./genEncdbSQLCommand.sh -r BCL_ISSUE --subject_sign --spriv sample/usr_pri_data.pem --spuk sample/usr_puk_data.pem --ipuk sample/usr_puk_data.pem --bcl sample/bcl_data_for_dba_select.txt -c ${cipher_suite} ./genEncdbSQLCommand.sh -r BCL_ISSUE --issuer_sign --ipriv sample/usr_pri_data.pem --spuk sample/usr_puk_data.pem --ipuk sample/usr_puk_data.pem --bcl sample/bcl_data_for_dba_select.txt -c ${cipher_suite}The DBA can view the masked data and perform subsequent O&M operations.
SELECT encdb.decrypt(id) FROM person; decrypt -------------------- 11122*********9999 11122*********8888 (2 rows)After the O&M operations are complete, the data department revokes the permissions from the DBA at the earliest opportunity.
# Revoke the previously granted permissions defined in the BCL. ./genEncdbSQLCommand.sh -r BCL_REVOKE --puk sample/usr_puk_data.pem --pri sample/usr_pri_data.pem --brl sample/brl_data_for_dba_select.txt -c ${cipher_suite}After the permissions are revoked, the DBA cannot execute the statements for O&M operations.
NoteExecute the following statement as the
ins_datauser.SELECT encdb.decrypt(id) FROM person; NOTICE: -- encdb -- -- Enclave log -- 4 - src/core/trusted/src/key_mgmt.cpp,576,encdb_trusted_import_bcl: BCL (aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa) was invalidated by BRL (1dec8190-3fd6-4de1-9ab7-7c1456933b28) NOTICE: -- encdb -- -- Enclave log -- 4 - src/core/trusted/src/key_mgmt.cpp,596,encdb_trusted_import_bcl: no BCL authorization WARNING: -- encdb -- -- Untrusted log -- 4 - src/core/untrusted/src/encdb_untrusted_enclave.cpp,250,encdb_ecall: Import BCL (subject_mekid: 178079820457738240, issuer_mekid: 178079820457738240) to enclave failed - returned 0xfa020000 ERROR: encdb_ext_enc_text_decrypt: enc_text decrypt errno:fa020000