Using CipherStash Encryption Migrator

CipherStash Encryption Migrator is used to encrypt existing data or to apply index changes after encryption configuration changes of a protected database. For information about the available options when using CipherStash Encryption Migrator, see CipherStash Encryption Migrator options.

CipherStash Encryption Migrator is bundled into the cipherstash-proxy Docker image.

CipherStash Encryption Migrator uses CipherStash Proxy to encrypt.

This guide assumes:

  • CipherStash Proxy is installed, configured and running
  • the target table has a corresponding dataset configured to encrypt one or more columns.

See the imtroduction to CipherStash Proxy. A CipherStash account can be created in the CipherStash Dashboard.

Encrypt the source column data in a table into the specified encrypted target column.

1cipherstash-migrator [OPTIONS] --table <TABLE> --columns <SOURCE_COLUMN=TARGET_COLUMN> --database-name <DATABASE_NAME> --username <USERNAME> --password <PASSWORD>

Encrypting existing data requires running an UPDATE of the column to be encrypted through CipherStash Proxy.

At a high level, the process is:

1For each record in {table}
2 - SELECT {pk} {column} FROM {table};
3 - UPDATE {table} SET column = {column_value} WHERE {pk} = {pk_value};

CipherStash Proxy encrypts the {column_value} and creates any encrypted indexes required.

1cipherstash-migrator --table users --columns name=encrypted_name email=encrypted_email --database-name postgres --username postgres --password password

Specify the primary key column:

1cipherstash-migrator --table users --primary-key user_id --columns name=encrypted_name email=encrypted_email --database-name postgres --username postgres --password password

Specify multiple primary key columns (compound key):

1cipherstash-migrator --table users --primary-key user_id order_id  --columns name=encrypted_name email=encrypted_email --database-name postgres --username postgres --password password

Run as dry-run

1cipherstash-migrator --table users --primary-key user_id --columns name=encrypted_name email=encrypted_email --database-name postgres --username postgres --password password --dry-run

The --dry-run option will SELECT and load data from the table, but does execute any UPDATES

Assuming a container called cipherstash-proxy:

1docker exec cipherstash-proxy cipherstash-migrator --table users --columns name=encrypted_name email=encrypted_email

If the container is running with the CS_DATABASE__NAME, CS_DATABASE__USERNAME, CS_DATABASE__PASSWORD ENV variables, they will be reused by CipherStash Migrator and don't need to passed.

Data can be decrypted from an encrypted source to a plaintext target using the --decrypt flag.

All other command libne options remain the same.

1cipherstash-migrator --decrypt --table users --columns encrypted_name=name encrypted_email=email --database-name postgres --username postgres --password password