Acra database security suite

Acra

Data leakage prevention in your app made simple

Acra enables selective encryption and provides data protection in distributed applications, web and mobile apps with PostgreSQL, MySQL, KV backends.

Acra provides:

Modern database encryption suite
  1. 1 Encryption/intrusion detection daemon
  2. 2 Easy integration with modern application
  3. 3 No alteration to database behavior

Convenient data security

Acra prevents data leakage in databases and data stores through selective encryption and intrusion detection. Acra is easy to deploy and manage; it is built to be your data security center while you focus on building products and reaching your business goals.

Solid security foundation

Built to prevent real-world data leakage risks, Acra provides a solid foundation for encryption-demanding regulations, such as GDPR, HIPAA, and others. Acra can ship with certified crypto-primitives (FIPS, GOST), and utilises the best industry practices for encryption and key management.

Multi-faceted defenses

Through its proxy-like design, Acra is able to limit the impact of application compromisation and detect data leakages by using SQL firewall, intrusion detection markers, through integrating the security events in your monitoring infrastructure, providing logged accountable access to sensitive records.

Get started with Acra

Acra + PostgreSQL tutorials are available! Available for:

Swift Android Postgresql MySQL MongoDB Linux Windows python Go Php Ruby NodeJs C++

Toolbox for mitigating data leakages

Acra selective

Secure By Default

Cryptography is hidden under the hood – no risk of selecting the wrong key length or algorithm padding. Acra has built-in key management tools for key distribution, key rotation, and compartmentalisation to enforce correct key lifecycle. .
Acra selective

Selective encryption

Acra provides an integration library that can encrypt any kind of record with AcraServer’s key. You get to choose, which records need to be stored in the database in encrypted form. After encryption, only AcraServer is able to decrypt them.
Acra surface

Narrow attack surface

Compromisation of your application does not lead to database leakage (unlike in typical web apps). The sensitive data is encrypted so gaining access to the database credentials and connecting to it yields no result for the attacker.

Acra forefront

A database forefront

AcraServer acts like a regular PostgreSQL/MySQL database proxy. It provides a complete experience of communicating with your backend, while running all the security operations under the hood.
Acra firewall

SQL firewall

Prevent data misuse closest to the actual storage: blacklist and whitelist SQL request patterns, block requests or only raise alarms. There are injections and insider threats that can bypass even the most sophisticated WAF, but Acra stops them all.
Acra detection

Intrusion detection

Acra is equipped with a number of ways to detect data leaks, unauthorised access, and abnormal access patterns by using a growing number of techniques, such as request analysis, poison records (honeytokens), access logs, etc..

Acra scale

Easy to scale

Deploy as many instances of Acra as you need, connect them to a centralised Key Container. Store the master key in Vault, Amazon/Google KMS, secret management tools, or in your automated configuration manager.
Acra firewall

DevOps friendly

Logging, metrics, tracing throughout all Acra components; compatible with ELK stack, Prometheus, Jaeger. Easy to automate deploys with Docker, availability/performance scaling. Migration utilities to assist database rollback and migration.
Acra detection

Constant improvement

Major extension of features in next releases:
  • Pseudonymization,
  • SQL queries over encrypted data,
  • cryptographically signed audit log.

Built to fit

Acra architecture
Easy deployment: Built with modern DevOps in mind: containers, metrics, cloud.
docker-compose -f docker/docker-compose.pgsql-ssl-server-ssl-connector_zonemode.yml up Creating docker_acra-keymaker_writer_1 ... done Creating docker_acra-keymaker_server_1 ... done Creating docker_acra-keymaker_connector_1 ... done Creating docker_postgresql_1 ... done Creating docker_acra-server_1 ... done Creating docker_acra-connector_1 ... done Attaching to docker_acra-keymaker_writer_1, docker_acra-keymaker_connector_1, docker_acra-keymaker_server_1, docker_postgresql_1, docker_acra-server_1, docker_acra-connector_1 postgresql_1 | The files belonging to this database system will be owned by user "postgres". postgresql_1 | This user must also own the server process. postgresql_1 | postgresql_1 | The database cluster will be initialized with locale "en_US.utf8". postgresql_1 | creating subdirectories ... ok acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Starting service acra-server" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Starting service acra-connector" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Validating service configuration..." acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Preparing to start in mode: AcraServer" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Initializing keystore..." acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Keystore init OK" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Reading transport keys..." postgresql_1 | selecting default max_connections ... 100 acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Validating service configuration..." acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Client id = testclientid, and client key is OK" docker_acra-keymaker_connector_1 exited with code 0 docker_acra-keymaker_writer_1 exited with code 0 acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Initialising keystore..." acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="AcraServer public key is OK" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Configuring transport..." acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Selecting transport: use TLS transport wrapper" postgresql_1 | selecting default shared_buffers ... 128MB acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Setup ready. Start listening connection tcp://0.0.0.0:9494" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Enabling VERBOSE log level" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Start listening HTTP API: tcp://0.0.0.0:9191" acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Keystore init OK" acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Configuring transport..." docker_acra-keymaker_server_1 exited with code 0 postgresql_1 | selecting dynamic shared memory implementation ... posix acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Selecting transport: use TLS transport wrapper" acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Start listening to connections. Current PID: 1" acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Enabling VERBOSE log level" postgresql_1 | creating configuration files ... ok acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Create listener" connection_string="tcp://0.0.0.0:9393/" from_descriptor=false acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Start listening connections" connection_string="tcp://0.0.0.0:9090" from_descriptor=false acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Start listening connections" connection_string="tcp://0.0.0.0:9393/" from_descriptor=false postgresql_1 | running bootstrap script ... ok postgresql_1 | performing post-bootstrap initialization ... ok postgresql_1 | syncing data to disk ... ok postgresql_1 | postgresql_1 | Success. postgresql_1 | postgresql_1 | PostgreSQL init process complete; ready for start up.
Fast integration: Adapted for developers who need to get things done, not get a PhD in encryption.
from acrawriter import create_acrastruct # adds new users, encrypts sensitive data def add_new_user(user_email, user_nick, user_address, connection): # load public key for AcraStructs with open(args.public_key, 'rb') as f: storage_key = f.read() # load public key for AcraStructs encrypted_email = create_acrastruct(user_email.encode('utf-8'), storage_key) encrypted_address = create_acrastruct(user_address.encode('utf-8'), storage_key) connection.execute(user_table.insert(), user_email=encrypted_email, user_nick=user_nick, user_address=encrypted_address) # reads users from database, AcraServer decrypts data transparently for app def read_users(connection): result = connection.execute(select([user_table])) result = result.fetchall() # will print plaintext data for row in result: print("{:<3} - {:<20} - {:<20} - {}".format( row['id'], row['user_email'].decode("utf-8", errors='ignore'), row['user_nick'], row['user_address'].decode("utf-8", errors='ignore')) )

Get going with Acra, fast!

Flat fee

In-depth one-time assistance.

Handled with care

Security by security professionals.

Dev from Devs

Security tools from their authors.

About DGAP

DataGuardian Assistance Program is a comprehensive assisted security solution. Our experts will help you understand and avert practical data security risks your application is facing.

Request more info:

DGAP official document

To provide you with official information on DataGuardian Assistance Program by Cossack Labs, we created the following PDF document, which you can download here.

Acra Live Demo

Request an invitation to the Acra Live Demo — online playground that shows how typical web app (Python, PostgreSQL) is protected by Acra. Add encrypted data, try to run malicious SQL queries, and play with intrusion detection.

Related blog posts

Copyright © 2014-2018 Cossack Labs Limited
Cossack Labs is a privately-held British company with a team of data security experts based in Kyiv, Ukraine.