1. 程式人生 > >Open Sourcing Encryption in Transit for Redis

Open Sourcing Encryption in Transit for Redis

Elasticache Encrption-in-Transit graphic

Amazon Web Services announced today at redisconf that it is open sourcing encryption-in-transit for Redis, the leading in-memory key-value data store. Amazon ElastiCache for Redis added the encryption-in-transit feature last year to help our customers encrypt their Redis data sets and satisfy compliance requirements. We learned from our customers, and designed a solution that serves an important use case for them. Now we are contributing it to the Redis community so that anyone can secure real-time applications and encrypt all communications between clients and Redis servers, as well as between Redis servers (primary and read replica nodes).

Redis is a fast, open source, in-memory key-value data store for use as a database, cache, message broker, and queue, developed by a very active open-source community. It delivers sub-millisecond response times enabling millions of requests per second for real-time applications in gaming, ad-tech, financial services, healthcare, and IoT. Redis is a popular choice for caching, session management, real-time analytics, geospatial, chat/messaging, media streaming, and gaming leaderboards. It is

ranked as the #1 Key-Value store, and was recently rated as the most-loved database by developers in the 2018 Stack Overflow survey.

As developers increasingly rely on Redis to build real-time applications, there is pressing need to honor compliance requirements and protect the transmission of sensitive data such as Personal Identifiable Information (PII). For example, healthcare app developers need HIPAA compliance and encryption-in-transit to use Redis as a cache to transmit electronic health records for low-latency access. Similarly, developers using Redis as an in-memory data store to build consumer-facing mobile financial apps need encryption-in-transit to secure user and credit card data transmission.

However, open source Redis does not support encryption. Developers looking to build secure real-time applications with Redis need to rely on self-managed encryption solutions, such as SSL proxies, or commercial Redis offerings. In the SSL proxy approach, a proxy sits in front of the Redis server and encrypts and decrypts traffic between client and Redis server. For Redis clusters with multiple primaries (masters), additional proxies are required to encrypt communication across primaries. Setting up a proxy such as “stunnel” with a Redis cluster also requires that, for each node, multiple port forwardings must be set up correctly for cluster bus communication and communication across the replication links. This makes setup, ongoing maintenance, and scaling difficult and error-prone.

In contrast to the proxy-based solution, our contribution to open source Redis implements native encryption-in-transit support inside Redis. One of the key advantages of our approach for setting up encrypted connections is that the handshake process is non-blocking and extends the default connection negotiation process in Redis. When encryption-in-transit is enabled, the data synchronization between primaries and replicas (disk-based or diskless), as well as all cluster bus communication, is encrypted.

Our encryption-in-transit implementation encrypts using the Amazon s2n library. s2n is an open-source (Apache License 2.0) implementation of the TLS/SSL protocols that is designed to be simple, small, fast, and secure. s2n has a small and auditable code base, undergoes regular static analysis, fuzz-testing and penetration testing, includes positive and negative unit tests and end-to-end test cases, encrypts or erases plaintext data as quickly as possible, and avoids implementing rarely-used options and extensions.

You don’t need to modify your applications to start using the encryption-in-transit feature for Redis. You just need a client that supports encryption-in-transit, and then ensure that the relevant flag is set to “true.” There are a number of current clients that support encryption-in-transit, including Jedis for Java and redis-py for Python.

Besides encrypting all communications between clients and Redis servers, as well as between Redis servers (primary and read replica nodes), this new functionality also simplifies certificate renewals. In our implementation, renewing certificates does not require any downtime or restart of the cluster.

You can find the code and README on GitHub. You can participate by checking out the code and testing it, providing comments on the pull request, submitting issues, or submitting pull requests to add new features to the GitHub repository. We look forward to hearing from you!

Thanks also to Manoj Kumar for his contributions to this work.

相關推薦

Open Sourcing Encryption in Transit for Redis

Amazon Web Services announced today at redisconf that it is open sourcing encryption-in-transit for Redis, the leading in-memory

New – Encryption of Data in Transit for Amazon EFS

Amazon Elastic File System was designed to be the file system of choice for cloud-native applications that require shared access to file-based sto

The case for open source classifiers in AI algorithms

Dr. Carol Reiley's achievements are too long to list. She co-founded Drive.ai, a self-driving car startup that raised $50 million in its second round of fu

AWS Open Source and More in Vancouver for OSSNA

Join us August 29-31, in Vancouver, BC, at Open Source Summit North America. Tracks this year cover a wide range of topics from Linux Sys

Determining if ip address is already in use for device eth0

determining if ip address is already in use for device eth0系統重啟網絡服務會提示Determining if ip address is already in use for device eth0提示。但是使用又沒有問題呢,那麽怎麽關閉這個顯示呢,

關於JSON類的兩個用途與for..infor循環的區別

進行 length 區別 prop per str 字符 number stringify JSON 這個類的兩個用途: 1)將Object 對象,轉換成string 類型 var obj = {"a":"1","b":"2","c":"json"}; var

for-infor-of,forEach和Map

循環對象 共同點 school 遍歷 fine 不能 name pre 包括 for-in和for-of   1.  for-in循環實際是為循環”enumerable“對象而設計的,是用來循環帶有字符串key的對象的。    使用for in會遍歷數組所有的可枚舉屬性,包

十三:Transparent Encryption in HDFS(轉)

存儲 oop with combined 生成器 spn prop password and 透明加密:http://blog.csdn.net/linlinv3/article/details/44963429 hadoop透明加密 kms簡介   Hadoop

build-qt.sh(Cross compile in Linux for Windows)

-i cdir pla sse install osi branch config break #!/bin/bash set -e MINGW=${MINGW:-${ARCH:-x86_64}-w64-mingw32} PREFIX=${PREFIX:-

Linux系統使用-CentOS7 for Redis

vmware init 如果 虛擬 遠程連接 入門 art vt-x 想要 Redis系列(一):CentOS系統安裝與環境配置 1.為什麽使用虛擬機和CentOS 最近Redis比較 熱門而且易於使用 而 Redisd對window支持並不好。 引用官方說明:http:/

JavaScript中in操作符(for..in)、Object.keys()和Object.getOwnPropertyNames()的區別

定義 typeerror 轉換 異常 error: pan 不同 html gree   ECMAScript將對象的屬性分為兩種:數據屬性和訪問器屬性。每一種屬性內部都有一些特性,這裏我們只關註對象屬性的[[Enumerable]]特征,它表示是否通過 for-in 循環

Suggestion in searching for a job in NZ

his search achieved n-n minutes user jea log youtube https://ivangrigoryev.com/en/silver-fern-visa-or-how-i-got-work-in-new-zealand-in-te

for infor和EnumerateObjectsUsingBlock遍歷的區別

value cts mut 很多 普通 使用 keys bsp 枚舉 1.對於集合中對象數很多的情況下,for in 的遍歷速度非常之快,但小規模的遍歷並不明顯(還沒普通for循環快) 2. 如果在for in 循環裏,對這個數組進行了修改的話,無論是增,刪,修改數組

Spring Cache For Redis

我們 cli 序列化存儲 simple 但是 內存 散列 partial factory 一、概述 緩存(Caching)可以存儲經常會用到的信息,這樣每次需要的時候,這些信息都是立即可用的。 常用的緩存數據庫: Redis 使用內存存儲(in

for..infor...of 的區別

ttr display ... isp 定義 執行 可叠代對象 ring ole for...of 是ES6出現的 循環遍歷的是值 語句在可叠代對象(包括 Array, Map, Set, String, TypedArray,arguments 對象等等)上創建一個叠代循

forEach,for infor of循環的用法

for iterator 對象 復制 efi type 統一 undefined 數組 一、一般的遍歷數組的方法: var array = [1,2,3,4,5,6,7]; for (var i = 0; i < array.length; i)

前端(十二)—— JavaScript基礎操作:if語句、for循環、while循環、for...infor...of、異常處理、函數、事件、JS選擇器、JS操作頁面樣式

結束 建議 prop map、set -c 表單元素 tle form collect JavaScript基礎操作 一、分支結構 1、if語句 if 基礎語法 if (條件表達式) { 代碼塊; } // 當條件表達式結果為true,會執行代碼塊;反之不執行

SELECT is not allowed in cluster (Redis叢集JedisCluster資料庫詳解)

(1)redis在單機模式下redis.conf配置檔案中預設的資料庫數量是16個,   # Set the number of databases. The default database is DB 0, you can select# a different one on

五分鐘掌握 for...infor...of 區別

GitHub 地址,歡迎star,檢視更多整理的前端知識 for...in for...in 語句以任意順序遍歷一個物件的可列舉屬性。 for...in 遍歷物件本身的所有可列舉屬性,以及物件從其建構函式原型中繼承的屬性。 for (variable in object) {...} var

《AppIntent - Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection》論文閱讀筆記

AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection APPIntent:分析敏感資料傳播在Android裝置中隱私洩露的檢測 文獻引