Quick Installation Guide

For Google Cloud Marketplace Customers

MySQL Armored by SG™

**A Shielded MySQL Server With Transparent Encryption and Cloud Backup **

We want to thank you for choosing to deploy the “MySQL Armored by SG” instance. You are in good company. Customers all around the world have enjoyed the benefits of our solutions since 2015. We have major installations in Europe, Asia, and the United States. Businesses use our solutions to protect their critical data and to achieve regulatory compliance. We also provide a variety of other services related to secure data transfer, storage, backup, and migration for data owners. Please contact us by sending an email to [email protected] if you have any questions. We would love to hear from you!

Introduction:

MySQL Armored by SG is a self-protecting MySQL server instance that empowers users to control their data encryption key. This means that the encrypted MySQL data can be moved across various cloud platforms or even to your data center without requiring a new key management system or data decryption.

Our solution is fully compliant with Google's Assured Workload environments, including FedRamp Medium and HIPAA. MySQL Armored by SG offers advanced security features such as transparent encryption of MySQL data, reduced attack surface, access controls, tamper-resistant logs, hardened instances, virtual instance security, and integrity monitoring. In addition, you can take advantage of secure backup features that include encrypted backups, cost-effective archival, flexible scheduling, and easy restoration.

By choosing_ MySQL Armored by SG_, you can enjoy the peace of mind that comes with having complete control over your data encryption key while benefiting from a highly secure, portable, and flexible MySQL server instance.

Prerequisites:

• An active Google Cloud Platform account: To install _MySQL Armored by SG _on Google Cloud, you must have an active Google Cloud Platform account. If you don't have an account yet, you can sign up for a free trial at https://cloud.google.com/free/. Once you have an account, you'll need to create a new project to deploy the MySQL Armored by SG solution.
• Proper privileges to install a Google Marketplace virtual machine instance: To install MySQL Armored by SG from the Google Cloud Marketplace, you must have proper privileges to create and manage virtual machine instances in Google Cloud. This typically requires the "Compute Instance Admin" or "Project Owner" role in Google Cloud IAM.
• Additional permissions to create and manage storage resources: If you plan to use Google Cloud storage to store your encrypted backups, you will need to have additional permissions to create and manage storage resources. This typically requires the "Storage Admin" or "Project Owner" role in Google Cloud IAM.
• A valid trial license: During the installation process, you will have the opportunity to acquire a free trial license for MySQL Armored by SG that is valid for 30 days. This trial license will enable you to test the solution and its features before deciding to purchase a subscription. After the trial period, you can purchase a subscription to continue using MySQL Armored by SG.

Accessing the MySQL Armored by SG solution in Google Cloud Marketplace:

Goal - At the end of this step, your secure MySQL server instance will be running on Google Cloud Engine.

Once you have met the prerequisites, you can proceed with accessing and deploying _MySQL Armored by SG _on Google Cloud. Follow these steps:

• Log in to the Google Cloud Console at https://console.cloud.google.com/.
• Click on the "Marketplace" button on the left sidebar.
• In the search bar at the top of the page, search for "Server General".

• Select "MySQL Armored by SG" from the list of search results.
• On the MySQL Armored by SG product page, click the "Launch on Compute Engine" button.

• Configure the virtual machine template using the following information:
  • Deployment name: Enter a unique identifier for the deployment.
  • Zone: Select the geographic region of the data center hosting the deployment.
  • Machine type: Select the CPU and RAM types that are appropriate for your deployment.
  • Boot disk type: Select the disk type that is appropriate for your deployment.
  • Boot disk size in GB: Select the storage capacity that is appropriate for your deployment.
  • Additional disk size in GB: Select storage capacity after carefully considering your data storage requirements. Please note that the second disk is used to store your encrypted data sets. Your second disk should be twice as large as your data set.
• Click the "Deploy" button to proceed.
• Wait for the virtual machine instance to be created and initialized. Once complete, you can access the MySQL Armored by SG solution using a web browser.
• Follow the on-screen instructions to configure your instance.

Configure Your Instance

Goal - At the end of this step, your MySQL Armored by SG instance will be fully configured and your MySQL data will be encrypted.

1. Access your instance by clicking on the link provided on the Deployment Manager page or opening a web browser and typing in the IP address of your machine: https://<IP address of your machine>>/. Ignore any invalid SSL certificate warning and proceed.

2. On the License Agreement page, scroll down and accept the terms and conditions to proceed with the configuration.

3. Next your machine will run a connectivity test to make sure that it can access the licensing server, key lockers, and logging servers. Click process if the test passes or else check your firewall settings and make sure that you are not restricting outbound TCP/IP traffic.

4. License your machine by entering a valid license or requesting a 30-day trial license. If you opt for a trial license, you'll need to confirm your email address to receive a security code. Enter the security code to receive your trial license.

5. Configure the "sgadmin" user by assigning a password. This user is a system user, and all commands are issued in the context of this user.

Remember the password, as you'll need it to log into the web management console of your machine.

6. Configure the Security Officer (SO) by selecting an alpha-numeric string of length 16 or more characters, called the Security Officer's Master Key (SMK).

Write down this string as you won't be able to recover it if lost.

7. Configure the Data Administrator (DA) by selecting an alpha-numeric string of length 16 or more characters, called the Data Administrator's Master Key (DMK). You'll need to enter the SMK to initialize the DA since only the SO can add or remove a DA.

Write down the DMK as you'll need it to manage all operations related to your protected data sets.

8. We’ll configure the MySQL “root” user for you and you’ll find the password on the Dashboard. We highly recommend that you change this password as soon as possible.

After completing these steps, a new security policy will be implemented that will encrypt your MySQL data, and start your MySQL server. Only the "sgadmin" and "mysql" users will be allowed to see the data in clear text. You will control the data encryption key. Note that your application will continue to access the MySQL data as we use transparent data encryption. Your dashboard will look like this:

Verify Installation

Goal - At the end of this step, you will be able to see that your data is encrypted and our advanced access control rules are enforced.

Your MySQL data has already been encrypted and the advanced access control mechanisms are now being enforced. Therefore, only the “allowed users” should be able to access the unencrypted data sets. All other users (including the “root” user) should not be able to view the cleartext data.

We’ll test our hypothesis below. We assume that you’ve used the option "Launch Encrypted MySQL" option from the web console to start your MySQL server.

First, we will verify that the MySQL user, as well as the “sgadmin” user, can still see the data even though it is encrypted. Open up a new SSH window and log in to your instance as the “sgadmin” user. If you are using a Linux machine, then you can use the ssh command to log into your machine.

$ ssh -i <path to google compute engine key stored on your computer> sgadmin@<IP address of your server>

You can also use the “gcloud” command to log into your machine. It will look like this:

gcloud compute --project "project-name" ssh --zone "us-central1-f" "sgadmin@name-of-your-vm"

Query any table of importance to you--here we’ll establish a MySQL connection and execute a query on the “user” table (which holds database credentials). You should get similar results:

mysql -u root -p -e 'USE mysql; SELECT user, host, authentication_string FROM user;'

Enter the password when prompted.

mysql -u root -p -e 'USE mysql; SELECT user, host, authentication_string FROM user;'

The output should look like this:

+------------------+-----------+-------------------------------------------+
| user             | host      | authentication_string                     |
+------------------+-----------+-------------------------------------------+
| root             | localhost | *8A5BBB2137D6AFC5CD5D6517FC37CDBA4A12C149 |
| mysql.session    | localhost | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| mysql.sys        | localhost | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| debian-sys-maint | localhost | *33EB87AE1B08A53C99887414CC54645E81AD8D9E |
+------------------+-----------+-------------------------------------------+

The above test proves that the “mysql” user is still able to see the data in cleartext.

Now let’s see if the “sgadmin” user can see the data in cleartext at the OS layer. Start a new terminal session and log in as the “sgadmin” user using the “gcloud” command that should look like this (or you can SSH into the machine using the Google Compute Engine key stored on your machine):

gcloud compute --project "your-project-name" ssh --zone "us-west1-b" "sgadmin@name-of-your-vm"

The “sgadmin” user should be able to see the MySQL data per our security policy above.

$ sudo -i

# cd /var/lib/mysql/mysql

# ls -lt

# strings user.MYD

You can copy the above commands and paste them into your SSH terminal to perform the tests.

—--------------------------------------------------------------------

The last command in the series above will show you the plain text characters scraped from within the file.

Please note that the file you are looking at is in fact encrypted but the “sgadmin” user is still able to see the data in cleartext.

You can see your encrypted files:

$ sudo ls -lt /vault/serverg/security_policy_tg2

Here you will find the encrypted version of the MySQL files which were previously stored in /var/lib/MySQL.

Now if you want to see what unauthorized users will see, then you should log out again. It is essential that you _log out _and log back in as any other _system user who is _part of the group “sudo”. Elevate your privileges and then try to access /var/lib/MySQL. You will notice that even though you are the “root” user you are unable to access the protected files. The following command generates an error stating no such file exists.

# cd /var/lib/mysql/mysql

This command should show an empty directory like this:

Note: What To Do After You Reboot Your Instance

IF YOU REBOOT YOUR “MySQL Armored by SG” INSTANCE YOU MUST START YOUR MySQL SERVER USING THE "LAUNCH MySQL SERVER" OPTION FROM YOUR "MySQL Armored by SG" CONSOLE.

To do this, log into your "MySQL Armored by SG" console by opening up a browser and typing in the following URL:

https://<IP address of your machine>

Once you are logged in, click on the "Launch MySQL Server" button to start your MySQL server.

NOTE: DO NOT START YOUR MySQL SERVER MANUALLY USING THE COMMAND LINE UNLESS YOU KNOW WHAT YOU ARE DOING.

Updated on April 26, 2023