0.94.0, November 17th 2022
0.94.0, November 17th 2022
Core:
In this release we deprecated Zones functionality and all flags and CLI parameters related to it. These flags will be removed in the next versions. Acra will warn about deprecations.
Acra Community Edition supports separate encryption keys linked to the ClientIDs
and allows to manage key switching via TLS certificates.
Acra Enterprise Edition supports more flexible mapping between users/apps and encryption keys via SQL variables.
- AcraServer, AcraTranslator, AcraKeymaker, AcraKeys, AcraRotate, AcraAddZone, AcraBackup, AcraLogVerifier, AcraPoisonRecordMaker, AcraRollback:
- Added new CLI flags for better KMS support (documentation page, #552, #553, #554):
--kms_credentials_path=<filepath>
- path to configuration file specific for KMS type--kms_type=[aws]
- type of KMS provider
- Added support of encrypting the Acra Master Key using AWS KMS key (key wrapping technique). AWS KMS documentation page, #552.
- Added support of the several encryption strategies for keys in the keystore (#556) and added new CLI flag:
--keystore_encryption_type
- specifies type of keys encryption for keystore. Acceptsenv_master_key
,vault_master_key
,kms_encrypted_master_key
,kms_per_client
. Read description of types on documentation pages of appropriate tools, for example AcraKeymaker.
- Extended configuration of TLS options when storing ACRA_MASTER_KEY in HashiCorp Vault. #578
- Added 12 flags related to OCSP/CRL support. You can find all of these flags in documentation on pages related to appropriate tool, for example AcraKeymaker.
- Added new CLI flags for better KMS support (documentation page, #552, #553, #554):
- AcraServer, AcraTranslator, AcraKeymaker, AcraKeys, AcraRotate, AcraAddZone, AcraTokens:
- Added TLS support for Redis storage for Keystore. Added new 15 CLI flags related to TLS configuration. Read more on appropriate tool's page, for example AcraKeymaker. #566, #565
- AcraServer, AcraTranslator, AcraKeymaker, AcraKeys, AcraRotate, AcraAddZone, AcraRollback:
- Deprecated all Zones related CLI flags and API descriptions #577
- AcraServer, AcraTranslator:
- AcraServer:
- Added support of HashiCorp Consul as a configuration source for encryptor config. Acra can load configuration from the Consul instead of file. Added new CLI flag (
--encryptor_config_storage_type=[filesystem|consul]
) to switch source and Consul specific flags. Read more on documentation page about encryptor config and acra-server's configuration description. #568 - Improved support of searchable tokenization. AcraServer captures
SELECT
queries and updateWHERE
clauses to add support of filtering with consistent tokenization. #581 - Improved searchable encryption with more complex queries. #586, #592, #598, #599, #594.
- Improved SQL parser (better compatibility across different SQL databases):
- Improved processing prepared statement. #580, #593
- Added new section to encryptor config called
database_settings
. #532, #590- Contains subsections
mysql
andpostgresql
- Currently
mysql
subsection has one option,case_sensitive_table_identifiers
, boolean, to configure whether table names should be considered case-sensitive when comparing with names in encryptor config
- Contains subsections
- Table/column matching now works like this:
- For PostgreSQL:
- Raw identifiers are case-insensitive
- Identifiers wrapped with double quotes are case-sensitive
- MySQL:
- Column identifiers are always case-insensitive
- Table names are case-insensitive by default, could be changed with
case_sensitive_table_identifiers
option mentioned above
Case-insensitive means the identifier is converted to lowercase before comparing with values from encryptor config, encryptor config should contain lowercase version of column/table name.
Case-sensitive means identifiers are compared with values from encryptor config "as is", encryptor config should contain exactly the same identifier as in database schema.
- For PostgreSQL:
- Removed deprecated
--tls_db_sni
flag. Now only--tls_database_sni
is available. #564 - Added support of separate configuration and specifying of CRL/OCSP settings for connections from database and applications. Added flags:
--tls_ocsp_[database|client]_required
,--tls_[ocsp|crl]_[database|client]_check_only_leaf_certificate
,--tls_[ocsp|crl]_[database|client]_from_cert
,--tls_[ocsp|crl]_[database|client}_cache_size
,--tls_[ocsp|crl]_[database|client}_cache_time
,--tls_[ocsp|crl]_[database|client}_cache_size
. You can find all of these flags in documentation on pages related to appropriate tool, for example AcraServer. #564.
- Added support of HashiCorp Consul as a configuration source for encryptor config. Acra can load configuration from the Consul instead of file. Added new CLI flag (
- AcraTranslator:
- Improved HTTP API performance. Refactored HTTP processing core. Now AcraTranslator uses golang's HTTP server with gin router #550. Added support of:
- HTTP 2.0 connections additionally to HTTP 1.1
- Keep alive connections
- Added TLS support for HTTP API:
--http_api_tls_transport_enable=[true|false]
new flag added to turn on accepting TLS connections instead of raw TCP. Works only together with--http_api_enable=true
. #550
- Improved HTTP API performance. Refactored HTTP processing core. Now AcraTranslator uses golang's HTTP server with gin router #550. Added support of:
Example projects and demos:
- Python examples: updated to show searchable encryption feature. #548