Post-Compromise Security with Virgil PureKit and MariaDB

Post-Compromise Security with Virgil PureKit and MariaDB

Rebecca Yarbrough — February 2nd, 2020

Virgil Security’s PureKit protects stored passwords and data even if the database itself is compromised, and it encrypts data on a per-user basis without giving the server any knowledge of the encryption key.

Now, with the new MariaDB plugin, developers can easily add post-compromise security and per-user encryption to their MariaDB instances.

PureKit is designed to give the user (whether that’s an end-user or an application) control over and access to their data. Access to other users within the network can be granted with permission of the user using PureKit’s sophisticated key management system.

This ability to give the user control over their data is a powerful functionality that makes compliance with GDPR and other privacy regulations possible without having to build it from scratch.

Why MariaDB?

MariaDB is one of the most rapidly growing open source database providers in the world, and is used by organizations like Google, Deutsche Bank, Wikipedia, and Nasdaq.

These enterprises, as well the startups and small businesses use MariaDB to store valuable intellectual property, state secrets, healthcare and financial data, and more.

The most popular MariaDB security tool is TDE (transparent data encryption), which is not sufficient against modern threats like insider threats, SQL injections, and brute force attacks.

TDE and other popular encryption options are designed to encrypt an entire database. This all-or-nothing approach creates inefficiencies and vulnerabilities, including the following:

  1. Unauthorized parties can get into database because user and/or admin credentials are stored in the same database
  2. Employees have access to the whole database, leaving room for erroneously or intentionally exposing the data
  3. Vulnerable to SQL injection
  4. Encryption keys are sometimes stored within the database
  5. Key management provider uses insecure methods like a symmetric key for all operations and does not discard old keys

MariaDB administrators need more precise encryption, with the ability to encrypt at the record level instead of an entire database. This requires an advanced key management service that can operate within a Zero Trust environment, unlike AWS KMS.

What is post-compromise security?

  1. Seamless key rotation:
    1. Keys can be rotated while the app is running
    2. Keys can be rotated both proactively or if there is a data breach
  2. Invalidation of stolen data
    1. Data cannot be decrypted without the cooperation of the crypto server, rendering any stolen data in a database useless
  3. Zero-Knowledge proof
    1. Crypto service proves all operations were performed using its private key
  4. Withstands both online and offline attacks
    1. Strict rate-limiting per-user
    2. Need the private keys of both the application and the crypto service to make a password attempt

Comparing PureKit to TDE

Key Distribution

  1. TDE only allows for one key per database
  2. PureKit can distribute keys on a per-user basis

Key Rotation

  1. TDE requires the entire database to be re-encrypted when keys are rotated
  2. PureKit allows for in-place key rotation

Post-Compromise Security

  1. TDE will not continue to protect the data in case of a database breach
  2. With PureKit, the protected data will remain encrypted and useless after a database breach

SQL Injection-Proof

  1. TDE is not secure against an SQL injection, because the data is still selected as plaintext
  2. PureKit is immune to SQL injections

Key Management

Key generation, storage, lifetime, rotation, revocation and auditing are all complex functionalities that are necessary to handle securely. Otherwise, the data they’re protecting can easily be decrypted.

There are MariaDB key management solutions available today, like AWS KWS, but those have weaknesses. For example, when keys are rotated, AWS never completely deletes the old keys. Further, a single master symmetric key is used for all crypto operations.

Developers no longer need to choose between convenient but slightly insecure systems like AWS KMS and true security. Options like PureKit are now available that take advantage of tested technology like PHE that make security more user-friendly and efficient even for the largest enterprise.

Learn More

Learn about PureKit in person from Virgil Security’s CTO and co-founder Dmitry Dain at MariaDB Day in Brussels on February 2nd, 2020. More details here.

The MariaDB PureKit plugin is in pre-release. To request access, email [email protected].

Virgil Security is a technology company that packages the latest security advancements for encryption, password protection and authentication into easy-to-use toolkits that the average software developer can use. They work for small startups and global enterprises alike. Learn more at

Building End-to-End Encrypted Chat with E3Kit and Stream
Rebecca Yarbrough — December 11th, 2019