Encryption

Used method

Encryption is implemented by using openssl's hybrid encryption feature. It combines RSA private/public key with symmetric aes encryption in order to make use of the the security of public/private keys and the performance of symmetric encryption. The usage is similar to pgp: you will only need to store your public key on the server, which is used to encrypt. Decryption can only be achieved with the private key-pair, which should be located somewhere save.

Encryption is accomplished in the following way:

openssl smime -encrypt -binary -text -aes256 \
	-in input.sql \
	-out output.sql.enc \
	-outform DER mysqldump-secure.pub.pem

Why I chose openssl smime over pgp?

Openssl's smime encryption has the same security advantage pgp has: The private key is stored in a safe location away from the server. However, the main advantage of asymmetric encryption over pgp is speed.

Here is a simple benchmark that shows how much faster it is with a 1GB file:

# Create random 1GB file
openssl rand -out sample.txt -base64 $(( 2**30 * 3/4 ))
# GPG encrypt
$ time gpg  --yes --batch --no-permission-warning --quiet --recipient cytopia --output sample.txt.gpg --encrypt sample.txt
txt

real    0m56.060s
user    0m54.247s
sys     0m1.392s
# Openssl encrypt
$ time openssl smime -encrypt -binary -text -outform DER -aes256 -in sample.txt -out sample.txt.aes mysqldump-secure.pub.pem
b.pem

real    0m18.025s
user    0m13.862s
sys     0m3.498s

As you can see openssl is almost three times as fast as pgp.

Create public/private key

In order to initially generate the public/private keys, use the bundles shell script create-keypair.sh. This creates a 2048bit pair as follows:

openssl req -x509 -nodes -newkey rsa:2048 \
    -keyout mysqldump-secure.priv.pem \
    -out mysqldump-secure.pub.pem

Performance

RSA

You can test the performance on your target machine yourself with:

openssl speed rsa512

Values on my machine are

rsa 512 rsa 1024 rsa 2048 rsa 4096
# of sign/s 6,878.4 2,075.8 398.8 66.4
# of verify/s 99,898.4 42,966.3 15,396.4 4,751.5

AES

You can test the performance on your target machine yourself with:

openssl speed aes-128-cbc

Values on my machine are

aes 128 cbc aes 192 cbc aes 256 cbc
16 byes 150812.11 k 126749.73 k 119884.20 k
64 bytes 153859.62 k 134592.51 k 119803.50 k
256 bytes 156139.70 k 137572.39 k 116165.86 k
1024 bytes 156203.72 k 136104.24 k 120017.89 k
8192 bytes 159386.04 k 135400.37 k 123281.67 k