As I understand ProxySQL has support for SSL encryption for inbound and outbound traffic (front/backend) and supports password hashing. However back in 2017, one had direct database access:
How to easily bring 80 MySQL users into ProxySQL?
According to Icarus's answer, it would be rather easy for someone who broke into the hosting server to gain access to all endpoints listed on this database by making a select call directly to it.
Is there any way of encrypting the SQLite3 DB? Or perhaps of encrypting the data stored in the database (similar to how SSL is used for in-transit data)? Basically looking for data-at-rest securing strategies.
Perhaps this is already implemented in recent versions? I could not find any documentation supporting it, but it did seem that may be the case:
https://github.com/sysown/proxysql/blob/v2.0.13/lib/ProxySQL_Admin.cpp
Which, if I understood correctly implements SHA1 encryption:
https://stackoverflow.com/questions/3179021/sha1-hashing-in-sqlite-how
If this is correct, is this restricted to password hashing? Or is it part of the SSL encryption implementation? Or is there actually a way of enabling encrypted "DISK" read/writes? Is this by any chance implemented by default on v2+ builds?
Ultimately, I plan on encrypting the volume this is installed in, and have a second proxy layer so that I don't expose endpoint information; this would be an additional layer of protection.
Thanks, I appreciate any insights you may have!
Best Answer
I have yet to find a better answer for now other than the SQLite3 DB ProxySQL uses is unencrypted and there are no parameters to change this. It is strange since you can encrypt many other things, but data at rest seems unaddressed.
However one may use HDD encryption to reduce the chances of it being breached. Also, keep user passwords hashed in case your server security is broken, and your encryption keys encrypted.
Will update this answer if I find additional information.