Database protection suite with field level encryption and intrusion detection.
| Acra Engineering Examples | Documentation and tutorials | Installation | Acra feedback |
|---|---|---|---|
Acra — database security suite for sensitive and personal data protection.
Acra provides application-level encryption for data fields, multi-layered access control, database leakage prevention, and intrusion detection capabilities in one suite. Acra was specifically designed for distributed apps (web, server-side and mobile) that store data in one or many databases / datastores.
| Perfect Acra-compatible applications | Typical industries |
|---|---|
| Web and mobile apps that store data in a centralised database or object storage |
|
| IoT apps that collect telemetry and process data in the cloud | |
| High-load data processing apps |
Acra gives you tools for encrypting each sensitive data record (data field, database cell, json) before storing them in the database / file storage. And then decrypting them in a secure compartmented area (on Acra side). Acra allows to encrypt data as early as possible and operate on encrypted data.
Acra's cryptographic design ensures that no secret (password, key, etc.) leaked from the application or database will be sufficient for decryption of the protected data. Acra minimises the leakage scope, detects unauthorised behavior, and prevents the leakage, informing operators of the incident underway.
This is Acra Community Edition, it's free for commercial and non-commercial use, forever.
| encryption on client-side and/or Acra-side – each data field is encrypted using unique encryption keys. | |
| you select which columns to encrypt to balance good security and performance. | |
| two crypto-envelopes: AcraBlocks and AcraStructs. AcraBlocks are fast symmetric containers, use them by default. AcraStructs are asymmetric containers, use them for client-side encryption. | |
| search through encrypted data without decryption. Designed for exact queries, based on AES-GCM and blind index. | |
| use full or partial masking to remove or mask sensitive data. | |
| substitute sensitive data with a token and match it to original only when needed. | |
| built-in tools for key generation, export, backup, rotation, etc. | |
| through a built-in SQL firewall. | |
| using poison records (honey tokens) to warn about suspicious behaviour. | |
| available for Acra Enterprise users. | |
Acra delivers different layers of defense for different parts and stages of the data lifecycle. This is what defence in depth is – an independent set of security controls aimed at mitigating multiple risks in case of an attacker crossing the outer perimeter.
| all Acra features packed into a database proxy that parses traffic between an app and a database and applies security functions where appropriate. | |
| API server, that exposes most of Acra’s features as HTTP / gRPC API with traffic protection. | |
| optional client-side service for authentication and transport encryption. | |
| available for Acra Enterprise users. | |
| your infrastructure is secure from the start without additional configuring. | |
| no risk of selecting the wrong key length or algorithm padding. | |
| easy to configure and automate. | |
| via binary packages or Docker images. | |
| requires minimal changes in the application code. | |
| throughout all Acra components; compatible with ELK stack, Datadog, Graylog, Prometheus, Grafana, Jaeger. | |
| rollback utilities to decrypt database into plaintext. | |
| numerous web-based and Docker-based example projects available. | |
| run AcraServer in your DigitalOcean cloud. | |
| we can setup and manage Acra for you. |
Acra relies on our cryptographic library Themis, which implements high-level cryptosystems based on the best available open-source implementations of the most reliable ciphers. Acra strictly doesn't contain self-made cryptographic primitives or obscure ciphers.
To deliver its unique guarantees, Acra relies on the combination of well-known ciphers and smart key management scheme. See Cryptography and key management.
| Default crypto-primitive source | OpenSSL |
| Supported crypto-primitive sources ᵉ | BoringSSL, LibreSSL, FIPS-compliant, GOST-compliant, HSM |
| Storage encryption (AcraBlocks) | AES-256-GCM + AES-256-GCM |
| Storage encryption (AcraStructs) | AES-256-GCM + ECDH |
| Transport encryption | TLS v1.2+ or Themis Secure Session |
| KMS integration ᵉ | Amazon KMS, Google Cloud Platform KMS, HashiCorp Vault, Keywhiz, etc |
ᵉ — available in the Enterprise version of Acra only. Drop us an email to get a full list of features and a quote.
Acra consists of several services and utilities. Acra services allow you to construct infinitely sophisticated data flows that are perfectly suited to your exact infrastructure. Depending on your architecture and use case, you might need to deploy only basic services or all of them.
Refer to Acra-in-depth / Architecture to learn more about Acra components. Refer to Acra-in-depth / Data flow to see more typical Acra-based dataflows and deployments.
Let's see [the simples