【Azure Redis 缓存】关于Azure Cache for Redis 服务在传输和存储键值对(Key/Value)的加密问题

本文涉及的产品
Redis 开源版,标准版 2GB
推荐场景:
搭建游戏排行榜
云数据库 Tair(兼容Redis),内存型 2GB
密钥管理服务KMS,1000个密钥,100个凭据,1个月
简介: 【Azure Redis 缓存】关于Azure Cache for Redis 服务在传输和存储键值对(Key/Value)的加密问题

问题描述

Azure Cache for Redis 服务在传输和存储数据时是如何加密呢?

 

问题回答

一:关于Azure cache for Redis服务在数据传输过程中是如何加密的?

  • 为了确保在Azure cache for Redis和客户端应用程序之间传输的数据安全,需要启用TLS加密。Azure缓存Redis启用SSL,默认使用TLS 1.2。
  • Azure数据中心与连接到Azure服务的客户端系统协商TLS连接。TLS提供强大的身份验证、消息私密性和完整性(支持检测消息篡改、拦截和伪造)、互操作性、算法灵活性以及易于部署和使用。

二:关于Azure cache for Redis服务中的静态数据是如何加密的?

Azure cache for Redis服务中存储的静态数据在VM内存中是不被加密的。在Standard C1及以上定价层(包括Premium定价层),每个Redis节点都运行在一个专用VM上;在Standard C0及以下定价层(包含Basic定价层),Redis实例运行在一个共享环境,同一个VM会被多个Redis实例共用,但是由于进程与进程之间是隔离的,这样会防止某个进程被其它进程破坏或读取数据。

 

参考资料

Encryption on Azure Cache for Redishttps://techcommunity.microsoft.com/t5/azure-paas-blog/encryption-on-azure-cache-for-redis/ba-p/1800449

 

Overview:

Questions about security and privacy data in Azure Cache for Redis are legitim and can be a concern. Azure in general offers some different ways to encrypt data depending of the services used.

We will discuss below some of that options in Azure Cache for Redis service.

 

Encryption in Transit

To secure data in transit between Azure Cache for Redis and client applications requires TLS encryption enabled.

Azure Cache for Redis enable SSL and uses TLS 1.2 by default. Also supports TLS 1.0 and 1.1 but will be retired soon as described here.

Please be aware that non-SSL (not secure, not encrypted connection) is also supported for test proposes, but disabled by default and not recommended for production.

The recommendation is to use only TLS 1.2, to maintain all the communications secure and encrypted in transit.

 

Microsoft gives customers the ability to use Transport Layer Security (TLS) protocol to protect data in transit, when it’s traveling between the cloud services and client applications. Microsoft datacenters negotiate a TLS connection with client systems that connect to Azure services.

TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use.

Please see more about Azure encryption overview.

 

 

Encryption at Rest

On Azure Cache for Redis, all data stays in the Virtual Machine memory all the time.

Any attempt to encrypt Redis data and using encrypt/decrypt hashes on server side will use the Virtual Machine memory at the same way, having the same exposure.

For that reason, Redis encryption at rest is not implemented and is not supported.

 

On Standard C1 and above tiers (Premium tier included) each Redis node runs on a dedicated Virtual Machine; on Standard C0 and below (Basic tier included), the Redis instances remains in a shared environment and the same Virtual Machine is used by more than one Redis instance.

In any case, only the Redis process assigned to some memory segments can access it, maintaining all data private without any possibility to externally access it. Is the operating system that guarantees that.

 

Each process on Windows has a virtual address space and all threads of a process can access its virtual address space. However, threads cannot access memory that belongs to another process, which protects a process from being corrupted or data read by another process.

See more about Memory Management:

https://docs.microsoft.com/en-us/windows/win32/memory/about-memory-management

 

To maintain the host Virtual Machines updated and secure, Microsoft updates the Redis hosts periodically.

 

Encryption on Persistent Redis

Redis Persistence allows you to persist data stored in Redis. This is supported on Redis Premium tiers only. You can also take snapshots and back up the data, which you can load in case of a hardware failure. Because these data will be saved externally this needs some special attention related to data security and encryption.

Redis Persistence writes Redis data into an Azure Storage account that you own and manage. Azure Storage automatically encrypts data when it is persisted, and is encrypted with Microsoft-managed keys by default. You can continue to rely on Microsoft-managed keys for the encryption of your data, or you can manage encryption with your own keys.

Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is similar to BitLocker encryption on Windows.

 

Encryption on Client side

Despite any client application can encrypt Redis data before sending data to Redis Service and decrypt after receiving data from Redis Service, this will add more processing time and client CPU usage to process the encrypt/decrypt data.

Redis acts as a memory cache and for that reason, the time to process any request is expected to be very short. Adding more processing time to encrypt/decrypt on client side will invalidate all the advantages of having cache (encrypt/decrypt process is typical heavy in time and CPU consuming).

 

Conclusion:

Despite Azure have some different ways to encrypt and secure data, for Azure Cache for Redis Service encryption in transit using SSL/TLS 1.2 is the recommended way. Encryption at rest is not needed as the Virtual Machine that hosts the Redis node already guarantees the security and privacy of data in memory, and Redis persistence is guaranteed by Storage encryption. Any attempt to encrypt/decrypt Redis data on client side will add more time to process and client CPU needs, losing the advantage of having a quick Cache service with very low latency.

相关文章
|
2月前
|
NoSQL Redis Windows
windows服务器重装系统之后,Redis服务如何恢复?
windows服务器重装系统之后,Redis服务如何恢复?
71 6
|
4天前
|
缓存 NoSQL 网络协议
【Azure Redis】因为Redis升级引发了故障转移后的问题讨论
3:对于Redis的Server Load指标,每秒创建连接数的并发值,是否有建议呢? 【答】:为了避免将缓存推到 100% 服务器负载,建议将连接创建速率保持在每秒 30 个以下。
|
1月前
|
NoSQL Java Redis
shiro学习四:使用springboot整合shiro,正常的企业级后端开发shiro认证鉴权流程。使用redis做token的过滤。md5做密码的加密。
这篇文章介绍了如何使用Spring Boot整合Apache Shiro框架进行后端开发,包括认证和授权流程,并使用Redis存储Token以及MD5加密用户密码。
26 0
shiro学习四:使用springboot整合shiro,正常的企业级后端开发shiro认证鉴权流程。使用redis做token的过滤。md5做密码的加密。
|
2月前
|
NoSQL Linux 测试技术
redis的安装步骤及前台,后台redis服务启动
这篇文章介绍了Redis的安装步骤,包括在Linux系统中下载、传输、解压、编译、安装Redis,以及Redis服务的前台和后台启动方法。
redis的安装步骤及前台,后台redis服务启动
|
3月前
|
NoSQL 网络协议 Redis
【Azure Redis】AKS中使用Lettuce连接Redis Cache出现 timed out 问题的解决思路
【Azure Redis】AKS中使用Lettuce连接Redis Cache出现 timed out 问题的解决思路
【Azure Redis】AKS中使用Lettuce连接Redis Cache出现 timed out 问题的解决思路
|
2月前
|
NoSQL Linux Redis
Linux Redis 服务设置开机自启动
【9月更文挑战第2天】在 Linux 系统中,可使用两种方法设置 Redis 开机自启动:一是通过创建 `redis.service` 文件并利用 systemd 进行管理,包括定义服务参数和启动脚本;二是编辑 `/etc/rc.local` 文件,在其中添加启动命令。推荐使用 systemd 方法,因为它更符合现代 Linux 系统的设计理念。设置完成后,可通过 `sudo systemctl status redis.service` 检查服务状态。
297 3
|
3月前
|
存储 NoSQL Redis
【Azure Developer】一个复制Redis Key到另一个Redis服务的工具(redis_copy_net8)
【Azure Developer】一个复制Redis Key到另一个Redis服务的工具(redis_copy_net8)
【Azure Developer】一个复制Redis Key到另一个Redis服务的工具(redis_copy_net8)
|
3月前
|
NoSQL 网络协议 Linux
【AKS+Redis】AKS中客户端(ioredis)遇见Azure Redis服务Failover后链接中断的可能性
【AKS+Redis】AKS中客户端(ioredis)遇见Azure Redis服务Failover后链接中断的可能性
|
1月前
|
消息中间件 缓存 NoSQL
Redis 是一个高性能的键值对存储系统,常用于缓存、消息队列和会话管理等场景。
【10月更文挑战第4天】Redis 是一个高性能的键值对存储系统,常用于缓存、消息队列和会话管理等场景。随着数据增长,有时需要将 Redis 数据导出以进行分析、备份或迁移。本文详细介绍几种导出方法:1)使用 Redis 命令与重定向;2)利用 Redis 的 RDB 和 AOF 持久化功能;3)借助第三方工具如 `redis-dump`。每种方法均附有示例代码,帮助你轻松完成数据导出任务。无论数据量大小,总有一款适合你。
74 6
|
6天前
|
缓存 NoSQL 关系型数据库
大厂面试高频:如何解决Redis缓存雪崩、缓存穿透、缓存并发等5大难题
本文详解缓存雪崩、缓存穿透、缓存并发及缓存预热等问题,提供高可用解决方案,帮助你在大厂面试和实际工作中应对这些常见并发场景。关注【mikechen的互联网架构】,10年+BAT架构经验倾囊相授。
大厂面试高频:如何解决Redis缓存雪崩、缓存穿透、缓存并发等5大难题