Skip to main content

Overview

The database encryption proxy enables transparent row and column-level encryption to be integrated into an existing database with minimal disruption to current workflows. This allows companies to protect sensitive information stored within their databases, while still retaining the ability to query that data.

Encryption is managed using fine-grained keys, with one or more keys assigned per tenant. Both encryption and decryption processes are transparent, and the proxy supports the coexistence of encrypted and unencrypted data within the same row or column. It seamlessly handles the merging of encrypted and plaintext records, ensuring smooth and secure data operations.

General Operation

The Antimatter database proxy seamlessly integrates with many common database driver libraries. To use it, simply update your connection string to point to the proxy. Queries that don't involve encrypted data will function as usual, with no need for any modifications.

The proxy is designed to be efficient, adding no more overhead than a typical forwarding proxy. It intelligently determines whether a query requires cryptographic operations. If encryption isn't involved, the query is forwarded directly to the upstream database without delay.

When a query does interact with encrypted fields, the proxy first checks if the specified domain is valid and whether encryption is enabled for that domain. If these conditions aren't met, the query is passed through to the upstream database unchanged.

Only when a query involves encrypted fields and the domain credentials are validated does the Antimatter database proxy perform the necessary cryptographic operations to process the query securely.

Setup Process

The following steps are required to configure the platform for database encryption and proxying integration.

  1. Connect the database proxy to the upstream database.
  2. Onboard the tables that should contain encrypted data.
  3. Migrate existing plaintext data to ciphertext.
  4. Modify your application to send SQL commands to the database proxy.

Terminology

  • Upstream database: the original target database that encryption will be applied to.
  • Proxy database: the proxy database that performs cryptographic operations for the upstream database.
  • Antimatter command: keyword sequences used to perform cryptographic commands against a database proxy.
  • Onboarding: the process of specifying specific table columns for cryptographic operations.

Restrictions

  • The token antimatter and antimatter_ followed by a string are reserved keywords when performing queries via the Antimatter database proxy.