Acra database security suite

Acra Encryption Suite

Data leakage prevention in your app made simple

Acra encryption suite provides data protection in distributed applications, web and mobile apps with PostgreSQL, MySQL, KV backends through selective encryption.

Acra provides:

Modern database encryption suite
  1. 1 Encryption/intrusion detection daemon
  2. 2 Easy integration with modern applications
  3. 3 No alteration to database behavior

Proactive data security

Acra prevents data leakage in databases and data stores through selective encryption, SQL firewall, intrusion detection. Acra is built to be a convenient set of proactive security controls for your data so that you can focus on building products and reaching your business goals.

Solid security foundation

Built to prevent real-world data leakage risks, Acra provides a solid foundation for encryption-demanding regulations, such as GDPR, HIPAA, FISMA, etc. Acra can be shipped with certified crypto-primitives (FIPS, GOST) and it utilises the best industry practices for encryption and key management.

Multi-faceted defenses

Acra is able to limit the impact of application compromisation and detect data leakages by using SQL firewall and intrusion detection markers, integrating security events into your monitoring, and providing logged accountable access to sensitive records.

Get started with Acra

Acra + PostgreSQL tutorials are available!
Go to code repository or try a web-based interactive demo
Available for:

Swift Android Postgresql MySQL MongoDB Linux python Go Php Ruby NodeJs C++

Toolbox for mitigating data leakages

Acra selective

Secure By Default

Cryptography is hidden under the hood – no risk of going wrong with a key length or algorithm padding. Acra has built-in key management tools for key distribution, rotation, and compartmentalisation to enforce the correct key lifecycle.
Acra selective

Selective encryption

Acra provides an integration library that can encrypt any record with AcraServer’s key. You get to choose, which records need to be stored in the database encrypted. After encryption, only AcraServer is able to decrypt them.
Acra surface

Narrow attack surface

Compromisation of your application won’t lead to database leakage (unlike in typical web apps). Sensitive data is encrypted so gaining access to the database credentials and connecting to it yields no results for the attacker.

Acra forefront

A database forefront

AcraServer acts like a regular PostgreSQL/MySQL database proxy. It provides a complete experience of communication with your backend, while running all the necessary security operations under the hood.
Acra firewall

SQL firewall

Prevent data misuse closest to the actual storage: blacklist/whitelist SQL request patterns, block requests or raise alarms. Acra detects and stops injections and insider threats that can bypass even the most sophisticated WAF.
Acra detection

Intrusion detection

Acra is equipped with a set of tools to detect data leaks, unauthorised access, and abnormal access patterns by using a growing number of techniques, such as request analysis, poison records (honeytokens), access logs, etc.

Acra scale

Easy to scale

Deploy as many instances of Acra as you need, connect them to a centralised Key Container. Store the master key in Vault, Amazon/Google KMS, secret management tools, or in your automated configuration manager.
Acra devops

DevOps-friendly

Logging, metrics, tracing throughout all Acra components. ELK stack/Prometheus/Jaeger-compatible. Deploy with source, packages, Docker. Adapted for HA/scaling. Migration utilities for database rollback and migration.
Acra detection

Constant improvement

Major extension of features scheduled for upcoming releases:
  • Pseudonymization,
  • SQL queries over encrypted data,
  • Cryptographically signed audit log.

Built to fit

Acra architecture
Easy deployment: Built with modern DevOps in mind — containers, metrics, cloud.
docker-compose -f docker/docker-compose.pgsql-ssl-server-ssl-connector_zonemode.yml up Creating docker_acra-keymaker_writer_1 ... done Creating docker_acra-keymaker_server_1 ... done Creating docker_acra-keymaker_connector_1 ... done Creating docker_postgresql_1 ... done Creating docker_acra-server_1 ... done Creating docker_acra-connector_1 ... done Attaching to docker_acra-keymaker_writer_1, docker_acra-keymaker_connector_1, docker_acra-keymaker_server_1, docker_postgresql_1, docker_acra-server_1, docker_acra-connector_1 postgresql_1 | The files belonging to this database system will be owned by user "postgres". postgresql_1 | This user must also own the server process. postgresql_1 | postgresql_1 | The database cluster will be initialized with locale "en_US.utf8". postgresql_1 | creating subdirectories ... ok acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Starting service acra-server" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Starting service acra-connector" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Validating service configuration..." acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Preparing to start in mode: AcraServer" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Initializing keystore..." acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Keystore init OK" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Reading transport keys..." postgresql_1 | selecting default max_connections ... 100 acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Validating service configuration..." acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Client id = testclientid, and client key is OK" docker_acra-keymaker_connector_1 exited with code 0 docker_acra-keymaker_writer_1 exited with code 0 acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Initialising keystore..." acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="AcraServer public key is OK" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Configuring transport..." acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Selecting transport: use TLS transport wrapper" postgresql_1 | selecting default shared_buffers ... 128MB acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Setup ready. Start listening connection tcp://0.0.0.0:9494" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Enabling VERBOSE log level" acra-connector_1 | time="2018-10-04T11:33:58Z" level=info msg="Start listening HTTP API: tcp://0.0.0.0:9191" acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Keystore init OK" acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Configuring transport..." docker_acra-keymaker_server_1 exited with code 0 postgresql_1 | selecting dynamic shared memory implementation ... posix acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Selecting transport: use TLS transport wrapper" acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Start listening to connections. Current PID: 1" acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Enabling VERBOSE log level" postgresql_1 | creating configuration files ... ok acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Create listener" connection_string="tcp://0.0.0.0:9393/" from_descriptor=false acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Start listening connections" connection_string="tcp://0.0.0.0:9090" from_descriptor=false acra-server_1 | time="2018-10-04T11:33:57Z" level=info msg="Start listening connections" connection_string="tcp://0.0.0.0:9393/" from_descriptor=false postgresql_1 | running bootstrap script ... ok postgresql_1 | performing post-bootstrap initialization ... ok postgresql_1 | syncing data to disk ... ok postgresql_1 | postgresql_1 | Success. postgresql_1 | postgresql_1 | PostgreSQL init process complete; ready for start up.

Easy maintenance in cloud and on-premises. Deploy with containers, virtual machines, or on physical servers. Battle-tested with large distributed workloads, enterprise environments, and small websites.

Fast integration: Adapted for developers who need to get things done, not get a PhD in encryption.
from acrawriter import create_acrastruct # adds new users, encrypts sensitive data def add_new_user(user_email, user_nick, user_address, connection): # load public key for AcraStructs with open(args.public_key, 'rb') as f: storage_key = f.read() # load public key for AcraStructs encrypted_email = create_acrastruct(user_email.encode('utf-8'), storage_key) encrypted_address = create_acrastruct(user_address.encode('utf-8'), storage_key) connection.execute(user_table.insert(), user_email=encrypted_email, user_nick=user_nick, user_address=encrypted_address) # reads users from database, AcraServer decrypts data transparently for app def read_users(connection): result = connection.execute(select([user_table])) result = result.fetchall() # will print plaintext data for row in result: print("{:<3} - {:<20} - {:<20} - {}".format( row['id'], row['user_email'].decode("utf-8", errors='ignore'), row['user_nick'], row['user_address'].decode("utf-8", errors='ignore')) )

It takes less than a workday to integrate Acra in easy mode and up to 3 days to deploy a solution that uses all sophisticated features. If you’re busy, we can do it for you — get in touch with us.

Example projects: see Acra in action

See Acra and its features in a live infrastructure with just one command:

Try Docker-based example projects:

Typical web apps (Django and Ruby on Rails) protected by Acra.

Acra with AcraCensor SQL firewall configured to prevent injections in OWASP Mutillidae 2 app.

High-availability infrastructure for Acra: Python app, HAProxy, PostgreSQL.

Start Using Acra with DigitalOcean

Acra Community Edition 1-Click App contains the most important component of Acra encryption suite — database proxy AcraServer. Perfect for encrypting sensitive data on the go, no matter where you store it.

The Acra 1-Click App is fully compatible with DigitalOcean Postgres and has handy examples for an easy start. Try it now on DigitalOcean Marketplace! New users get $100, 60 days referral bonus.

Pricing

Community Edition

Open source, Apache 2 licensed, cryptographic data protection suite with SQL filtering, intrusion detection, and many other security features. For prototyping and small-scale projects.

  FREE Forever for both nonprofit and commercial uses
Well-rounded open-core solution
Selective proxy encryption More about
Client side integration libraries More about
PostgreSQL/MySQL databases More about
NoSQL and KV databases More about
 
 
 
 

Professional

Commercially supported open source version with an added powerhouse of utilities. The best choice for companies looking for an affordable data security solution.

starting from $500/year 3 instances and commercial support
All CE features with support plus
Key management tools More about
Deployment via Chef, Ansible
Exportable logging, metrics, tracing More about
Prioritised feature requests
Customer support 9x5 More about
Managed solution available More about
 
 
 
 
 
 
 

Enterprise

The reinforced version of Acra with a full spectrum of premium features for large-scale and HA enterprise deployments that require easily adaptable security.

starting from $5000/year Extended enterprise support contracts available separately
All Professional features plus
Adaptive key managemend, configured for you More about
Crypto-signed audit log More about
Searchable encryption More about
Deeper IDS integration More about
Configuration assistance on integration More about
Cloud RDBMS support More about
Scalable PostgreSQL/MySQL-compatible databases More about
More flexible load balancing support More about
Support for all major IaaC tools More about
SIEM support More about
On-demand crypto engines More about
KMS integration More about
Customer support 24x7
Integration assistance included
Managed solution available More about

Acra Live Demo

Request an invitation to the Acra Live Demo — online playground that shows how typical web app (Python, PostgreSQL) is protected by Acra. Add encrypted data, try to run malicious SQL queries, and play with intrusion detection.

Related blog posts

Copyright © 2014-2019 Cossack Labs Limited
Cossack Labs is a privately-held British company with a team of data security experts based in Kyiv, Ukraine.