Encryption
Used method
Encryption is implemented by using openssl's hybrid encryption feature. It combines RSA private/public key with symmetric aes encryption in order to make use of the the security of public/private keys and the performance of symmetric encryption. The usage is similar to pgp: you will only need to store your public key on the server, which is used to encrypt. Decryption can only be achieved with the private key-pair, which should be located somewhere save.
Encryption is accomplished in the following way:
openssl smime -encrypt -binary -text -aes256 \ -in input.sql \ -out output.sql.enc \ -outform DER mysqldump-secure.pub.pem
Why I chose openssl smime over pgp?
Openssl's smime encryption has the same security advantage pgp has: The private key is stored in a safe location away from the server. However, the main advantage of asymmetric encryption over pgp is speed.
Here is a simple benchmark that shows how much faster it is with a 1GB file:
# Create random 1GB file
openssl rand -out sample.txt -base64 $(( 2**30 * 3/4 ))
# GPG encrypt
$ time gpg --yes --batch --no-permission-warning --quiet --recipient cytopia --output sample.txt.gpg --encrypt sample.txt
txt
real 0m56.060s
user 0m54.247s
sys 0m1.392s
# Openssl encrypt
$ time openssl smime -encrypt -binary -text -outform DER -aes256 -in sample.txt -out sample.txt.aes mysqldump-secure.pub.pem
b.pem
real 0m18.025s
user 0m13.862s
sys 0m3.498s
As you can see openssl is almost three times as fast as pgp.
Create public/private key
In order to initially generate the public/private keys, use the bundles shell script create-keypair.sh. This creates a 2048bit pair as follows:
openssl req -x509 -nodes -newkey rsa:2048 \ -keyout mysqldump-secure.priv.pem \ -out mysqldump-secure.pub.pem
Performance
RSA
You can test the performance on your target machine yourself with:
openssl speed rsa512
Values on my machine are
rsa 512 | rsa 1024 | rsa 2048 | rsa 4096 | |
---|---|---|---|---|
# of sign/s | 6,878.4 | 2,075.8 | 398.8 | 66.4 |
# of verify/s | 99,898.4 | 42,966.3 | 15,396.4 | 4,751.5 |
AES
You can test the performance on your target machine yourself with:
openssl speed aes-128-cbc
Values on my machine are
aes 128 cbc | aes 192 cbc | aes 256 cbc | |
---|---|---|---|
16 byes | 150812.11 k | 126749.73 k | 119884.20 k |
64 bytes | 153859.62 k | 134592.51 k | 119803.50 k |
256 bytes | 156139.70 k | 137572.39 k | 116165.86 k |
1024 bytes | 156203.72 k | 136104.24 k | 120017.89 k |
8192 bytes | 159386.04 k | 135400.37 k | 123281.67 k |