Reputation: 5213
Changing Cloud SQL block_encryption_mode in a GAE app
I'm running a GAE app in the Standard environment (thus, little control over things). It's using Cloud SQL for its backend (MySQL). How can I change the default block_encryption_mode on the database permanently to aes256? By default it's set to aes-128-ecb, which isn't good enough for our needs.
I've already looked at the available / configurable flags under Cloud SQL. block_encryption_mode isn't in the list. I'm surprised as 128-ecb is known to be weak. Is there any other way to change this in a Django app?
Upvotes: 0
Views: 330
Answers (1)
Reputation: 5213
Since the block_encryption_mode isn't supported otherwise by Cloud SQL, one needs to set this per session (unfortunate, as it'll be an extra query over to the server with a slight performance hit, but no other way). To do this, set it as an init_command option for the database connection in your Django settings.py:
DATABASES = {
'default': {
"ENGINE": 'django.db.backends.mysql',
"NAME": DB_NAME,
"USER": DB_USER,
"PASSWORD": ...,
"PORT": ...,
"OPTIONS": {
"init_command": "SET block_encryption_mode = 'aes-256-cbc'",
},
}
}
This isn't directly related to the question, however changing block encryption mode to AES256 requires one to use an initialisation vector (IV), unique per encrypted content (otherwise the similarly of encrypted text can serve as a hint to a hacker).
Upvotes: 1
Related Questions
- Django on Google App Engine connection to Cloud SQL, cannot connect
- How to connect to Google Cloud SQL with enforced SSL from within App Engine app
- Connecting App Engine to Cloud SQL Access Denied
- GAE Python 3.7 Standard can't connect to Cloud SQL server
- Connect Django to Google Cloud SQL
- Google Cloud mySQL connection with 2nd Gen GAE Python 3.7
- Should I be encrypting data in a CloudSQL database?
- Connect django to Google Cloud SQL Second Generation
- Django on Google App Engine with Cloud SQL in dev environment
- Encrypting user data on App Engine