Matomo

Acra 0.90.0: application level encryption and searchable encryption for any SQL and NoSQL databases - Cossack Labs
Blogpost
List of blogposts

Acra 0.90.0: application level encryption and searchable encryption for any SQL and NoSQL databases

Following our mission to empower developers to build secure products, we chose to make all fundamental security controls previously available in proprietary versions accessible to a wider audience – in Acra Community Edition 0.90.0.

This release makes a broad set of security features, including database encryption, searchable encryption, and encryption-as-a-service API available for any developer.

application level encryption

Acra 0.90.0 comes with the general availability of searching through encrypted data, encrypting data transparently for SQL databases (AcraServer), and adding security controls at the API request distance (AcraTranslator)—enabling developers to protect fields stored in their RDBMS or NoSQL databases.

In addition, with data masking and data tokenization, Acra allows substituting sensitive fields with non-sensitive tokens or masks—giving the security team confidence that data leaks won’t happen even if attackers/insiders have access to the database.

For Security and Ops teams, Acra provides eloquent logging, monitoring, alerting, and cryptographically signed audit logging—reducing the time required to notice and react to security incidents (MTTA, MTTR).


  1. Acra database security suite — 9 security controls in one tool
  2. Discover multiple ways to integrate Acra
  3. Acra Community Edition vs Acra Enterprise Edition
  4. How Acra helps with data security and privacy compliance
  5. Acra fast facts

Acra database security suite — 9 security controls in one tool

Acra solves major security pains by combining multiple data security controls—protective, reactive, and detective—under one roof, centralising security and compliance efforts, but keeping everything under control and easy-to-audit. You won’t depend on expensive old-school tools or develop security controls by yourself.

Learn more about Acra’s security controls and how they provide defense-in-depth or check out Acra documentation to learn more about Acra’s integration and configuration.


Try Acra Community Edition without coding on GitHub.


Protect data with field level encryption for SQL and NoSQL databases

Acra makes field level encryption for SQL and NoSQL databases accessible as never before. Just select which fields to protect — and configure encryption, searchable encryption, masking or tokenization for them.

Use searchable encryption if you want to have the fields encrypted but search for keywords inside them with “equal” queries (SELECT * FROM users WHERE users.email = 'smith_alice@acme.com'). Read about encrypted search in the blog post Secure search over encrypted data.

Use masking if your goal is to encrypt and hide data, but leave a part of it in plaintext (XXX_alice@acme.com). Discover more about data masking in documentation.

Use tokenization for data fields when you can’t change the original data column format. Acra will create a data token with the same format (int, string or even email-looking) while storing the original data encrypted in a separate storage. Read about data tokenization supported formats.

Stop advanced threats using Acra’s network filtering

Configure Acra’s Request Firewall to verify all SQL queries to the database against a set of rules and reactions. Deny suspicious queries and alert the Ops team. Read about SQL firewall configuration.

Configure TLS or mutual TLS connections between your apps, Acra, and database to ensure encrypted and authenticated connections. Discover Acra’s supported options of data-in-transit security.

Control the keys: follow BYOK to encrypt customers’ data with their keys, rotate and revoke keys

Connect Acra to the KMS of your choice and encrypt data using different keys per each customer or application. Acra provides key management tools for key generation, export, backup, rotation, etc.

Use Zones to configure even more precise access control—only connections from a certain zone can decrypt data related to that zone.

Detect anomalies and contain attacks with Acra’s reactions

Configure Acra’s reactions—send alerts to your Ops team, send intentionally falsified data to malicious application or even shut down Acra. Use Acra’s Request Firewall for SQL databases which analyses all incoming SQL queries and ensures that chosen patterns or data blocks never pass Acra without an alarm. Read more about Acra’s logging and monitoring.

Generate and place poison records (honeytokens) inside your data and get a security alarm when these records are read – a built-in intrusion detection around your data.

Connect Acra to your SIEM/SOC and analyse the behaviour of your whole system at once, correlating decryption errors with suspicious queries from the Acra’s Request Firewall, noticing and reacting to the incidents early on.

Gather evidence and recover from incidents

To ensure that the security log is secure by itself, Acra provides cryptographic protection and validation of exported logs to prevent tampering. Acra’s audit log covers access, security events, ties sessions to consumers, and extends application level audit log with strong evidence.

Run a verification utility to determine if anyone has tampered with Acra’s cryptographically signed audit logs or if Acra services were suddenly restarted.

Back up materials for forensic investigation: audit logs, Acra configuration, Request Firewall configuration, a list of suspicious and blocked queries, security events, errors and many more.


We work with companies on demanding markets.
Read how we use Acra to protect data in critical infrastructure.


Discover multiple ways to integrate Acra

Acra consists of several services and utilities. Acra services allow you to construct infinitely sophisticated data flows perfectly suited to your exact solution. Acra grows together with your product: all Acra services support horizontal scaling and offer features to achieve high availability despite failures.

Depending on your architecture and use case, you might need to deploy only basic services or all of them.

  • AcraServer: transparent SQL database proxy that parses traffic between an app and a database and applies security functions where appropriate.
  • AcraTranslator: Encryption-as-a-Service API that exposes most of Acra’s features as HTTP and gRPC API.
  • AnyProxy: API server that works as a gateway to the encryption layer for several applications and databases. Available with the Acra Enterprise Edition only.
  • Client-side SDKs make developers’ life easier by encrypting/decrypting data on the application side and providing SDKs for AcraTranslator and AnyProxy instead of API. Available with the Acra Enterprise Edition only.

So, which Acra services and components do you need? Depends on your use case! Introduce transparent encryption without breaking the data flow, or centralise the encryption layer for multiple apps, or build end-to-end encrypted data flows.

Refer to Acra-in-depth / Architecture to learn more about Acra components. Refer to Acra-in-depth / Data flow to see more typical Acra-based data flows and deployments.


Acra Community Edition vs Acra Enterprise Edition

Acra Community Edition gives all Acra security features in a fully working but fairly simple shape.

Take the free Acra Community Edition, select one of the pre-configured Docker composes, and start without any coding. Your Ops team can easily configure and adapt Acra Community Edition to the small-scale product’s needs.

Next, when your product grows and needs more hands and brains, you might want to migrate to the Acra Enterprise Edition. Acra Enterprise Edition satisfies numerous security and operational requirements. It provides more value for enterprise teams: refined key management and policy management, support of multiple KMS and SIEMs, advanced services and utilities (like client-side SDKs and AnyProxy) for building security layers fitted to your architecture.

Acra Enterprise Edition is typically used in products with high security requirements, large-scale cloud solutions with multiple databases or B2B SaaS.


Acra is a database encryption suite that helps you to encrypt sensitive data fields and search through them.
Your data is protected, you control it.


How Acra helps with data security and privacy compliance

Acra provides under-the-hood cryptographic and security processes that are mandated by various data security and privacy compliance requirements (GDPR, DPA, CCPA, PCI DSS, HIPAA) and cut integration and maintaining complexities for the engineers.

Acra Enterprise Edition can satisfy most of NIST SP 800-57 requirements and some of PCI DSS requirements. Refer to Regulations to learn more.

We put years of data security experience, cryptography r&d, and innovation to make Acra database security suite. We designed Acra to be an effective and cost-efficient data security solution to cover all your data protection needs with no fuss.


Acra fast facts

  • Acra database protection suite was first released into open source in 2017, having gained adoption and recognition amongst users of PostgreSQL and MySQL databases. Later Acra added support for NoSQL databases and KV stores.

  • Acra was battle tested in multiple public clouds, private clouds and air gapped environments – it doesn’t need a public internet connection to work, just connect it to your app and database and select which fields to encrypt.

  • Acra is used in critical infrastructure to encrypt telemetry from power plants, in fintech and neobanks to encrypt transaction details, in large enterprises to encrypt customers’ PII.

  • Acra is easily integrated into existing software as a transparent proxy for SQL databases (AcraServer), Encryption-as-a-Service API for NoSQL databases (AcraTranslator) or client-side SDKs with just 20 additional lines of code.

  • In 2020, Acra won Best Open Source Project in the Hackernoon Noonies contest.

Contact us