Overview
Baffle is the only security platform that cryptographically protects data as it's created, used, and shared across cloud-native data stores.
Baffle Shield for Postgres Static Data Masking is specifically designed to copy and obfuscate sensitive production databases into development, testing, and DevOps lower environments. Eliminate the security and compliance issues with sensitive data in your pre-production environments.
Baffle Shield is a proxy placed in-line between your production and pre-production databases and operates on the SQL commands. Use AWS DMS or native Postgres tools like pg_dump or pg_replication for migration (one-time or continuous updates)
Format Preserving Encryption (FPE) protects data while preserving the original data type and length. This is critical for testing applications without modification as well as testing infrastructure for processing, storage, and bandwidth requirements. No corresponding token vault is required, eliminating the need to manage and secure that or worry about related performance issues. The data can be restored later if desired or the encryption key can be destroyed to ensure the data is never recovered. Envelope encryption ensures that Baffle software never has access to your key encryption keys (KEK), enabling you to bring your own keys (BYOK) in AWS KMS.
Both source and target databases must be PostgreSQL (AWS EC2, RDS, or Aurora RDS). .
Note! Baffle Manager is a web-based orchestration tool that configures, manages, and reports on Baffle Shields. Baffle Manager is free and also available in the AWS Marketplace.
Highlights
- Proxy architecture enables data duplication and protection with no modifications to production or lower environments. Use AWS DMS or Postgres standard backup. One-time copies and/or continual updates.
- Tokenization using format preserving encryption (FPE) ensures security while maintaining the format and length of the original data. Applications and infrastructure do not need to be modified to continue working. There are no look-up tables or "vaults" to add management and security risks.
- Envelope encryption ensures that Baffle software never has access to your key encryption keys (KEK), enabling you to bring your own keys (BYOK) in AWS KMS.
Details
Typical total price
$3.504/hour
Pricing
Free trial
Instance type | Product cost/hour | EC2 cost/hour | Total/hour |
---|---|---|---|
t2.large | $2.00 | $0.093 | $2.093 |
r6i.2xlarge Recommended | $3.00 | $0.504 | $3.504 |
r6i.16xlarge | $4.00 | $4.032 | $8.032 |
r6i.32xlarge | $5.00 | $8.064 | $13.064 |
Additional AWS infrastructure costs
Type | Cost |
---|---|
EBS General Purpose SSD (gp2) volumes | $0.10/per GB/month of provisioned storage |
Vendor refund policy
Free 30-day trial. Refunds are handled on a case-by-case basis via support.
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Ongoing updates and improvements
Additional details
Usage instructions
Start by launching Baffle Manager. Provide the Baffle Manager EC2 with a IAM role that provides access to a KMS key that will serve as the key encryption key, or KEK, S3 bucket for data encryption key (DEK) storage, and the target database -Use your browser to go to the URL of the Baffle Manager EC2 -Go through the configuration steps. -Create KMS, S3 and database connections. -Create an Application and retrieve the application SyncID.
Start the Launch of Baffle Shield for Postgres Anonymization for Lower Environments providing the same IAM role access to KMS key, S3, and target dtabase. In addition, allow network access outbound of port 443 to Baffle Manager. -In "Advanced Details", enter the script #!/bin/bash sudo sh /home/baffle/ssl_setup.sh -b {s3-Bucket-Name} -s {SYNC_ID} subsituting the name of the S3 bucket and the SyncID from Baffle Manager (Or you can SSH into the Baffle Shield EC2 later using the username "baffle" and run the script)
In Baffle Manager, you will see the BaffleShield connected to the Application you created.
-In the application, select "Encrypt" and then navigate to the table to encrypt. Select the columns and encryption types.
-Save and Deploy
Connect AWS DMS ( or use Postgres native tools) to subscribe to the source database. Connect the Baffle Shield as the "Target" on port 8444. Baffle Shield in-turn will connect to the target database. All copies of the data will be encryptedby Shiled on the way to the target database.
For TLS connectivity from AWS DMS to Shield, a certificate was generated and stored in the S3 bucket that can be used in AWS DMS. For TLS connectivity from Shield to the target database, select "Use SSL" when setting up the target database in Baffle Manger and upload the AWS RDS cert from here: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-download-ssl-certificate-for-managed-database
Resources
Vendor resources
Support
Vendor support
Email support for setup, configuration, and usage issues. support@baffle.io
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.