Overview
Puedes cifrar tus dominios para garantizar que los datos almacenados en el disco no se puedan leer fuera de tu aplicación. Cifra el archivo del dominio en el disco con AES-256 + SHA-2 proporcionando una 64clave de cifrado de bytes al abrir un dominio.
Realm cifra y descifra datos de forma transparente con estándares Cifrado AES-256Utilizando los primeros 256 bits de la clave de cifrado de bits 512dada. Realm utiliza los otros 256 bits de la 512clave de cifrado de bits para validar la integridad mediante un código de autenticación de mensajes basado en hash (HMAC).
Advertencia
No utilice hashes criptográficamente débiles para las claves de cifrado de dominio. Para una seguridad óptima, recomendamos generar claves de cifrado aleatorias en lugar de derivadas.
Considerations
Los siguientes son los impactos clave a tener en cuenta al cifrar un reino.
Almacenamiento y reutilización de llaves
Debe pasar la misma clave de cifrado a RealmConfiguration.Builder.encryptionKey() cada vez que abra el dominio. Si no proporciona una clave o especifica una clave incorrecta para un dominio cifrado, el SDK de Realm generará un error.
Las aplicaciones deben almacenar la clave de cifrado en Android KeyStore para que otras aplicaciones no puedan leerla.
Impacto en el rendimiento
Las lecturas y escrituras en reinos cifrados pueden ser hasta un 10% más lentas que en reinos no cifrados.
Cifrado y sincronización de dispositivos Atlas
Puede encriptar un realm sincronizado.
Realm solo cifra los datos del dispositivo y los almacena sin cifrar en la fuente de datos Atlas. Cualquier usuario con acceso autorizado a la fuente de datos Atlas puede leerlos, pero se aplica lo siguiente:
Los usuarios deben tener los permisos de lectura correctos para leer los datos sincronizados.
Los datos almacenados en Atlas siempre están cifrados a nivel de volumen (disco).
La transferencia entre el cliente y el servidor siempre está totalmente cifrada.
También puede habilitar la Administración de claves del cliente para cifrar los datos de Atlas almacenados utilizando la clave de su proveedor de nube (por ejemplo, AWS KMS, Azure Key Vault, Google Cloud KMS).
Si necesita claves únicas para cada usuario de su aplicación, puede utilizar un proveedor OAuth o utilizar uno de los proveedores de autenticación de Realm y un activador de autenticación para crear 64una clave de bits y almacenar esa clave en un objeto de usuario.
Cómo acceder a un dominio cifrado desde múltiples procesos
Cambiado en la versión 10.14.0.
A partir de la versión 10.14.0 del SDK de Java de Realm, Realm admite la apertura del mismo reino cifrado en múltiples procesos.
Si su aplicación utiliza la versión 10.14.0 o anterior del SDK de Java de Realm, al intentar abrir un reino cifrado desde varios procesos se genera este error:
Encrypted interprocess sharing is currently unsupported.
Ejemplo
Los siguientes pasos describen la forma recomendada de utilizar Android KeyStore para el cifrado con Realm:
Genere una clave RSA asimétrica que Android pueda almacenar y recuperar de forma segura mediante Android KeyStore.
Nota
Versión de Android M y superiores: Seguridad del almacén de claves
Las versiones M y superiores requieren PIN de usuario o huella digital para desbloquear KeyStore.
Genere una clave simétrica (AES) que pueda utilizar para cifrar el reino.
Cifre la clave AES simétrica utilizando su clave RSA privada.
Almacena la clave AES cifrada en el sistema de archivos (en un
SharedPreferences, por ejemplo).
Cuando se deba usar el realm cifrado:
Recupere su clave AES cifrada.
Descifre su clave AES cifrada utilizando la clave RSA pública.
Utilice la clave AES descifrada en
RealmConfigurationpara abrir el reino cifrado.
Tip
Generar y almacenar una clave de cifrado
El siguiente código demuestra cómo generar y almacenar de forma segura una clave de cifrado para un reino:
// Create a key to encrypt a realm and save it securely in the keystore public byte[] getNewKey() { // open a connection to the android keystore KeyStore keyStore; try { keyStore = KeyStore.getInstance("AndroidKeyStore"); keyStore.load(null); } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) { Log.v("EXAMPLE", "Failed to open the keystore."); throw new RuntimeException(e); } // create a securely generated random asymmetric RSA key byte[] realmKey = new byte[Realm.ENCRYPTION_KEY_LENGTH]; new SecureRandom().nextBytes(realmKey); // create a cipher that uses AES encryption -- we'll use this to encrypt our key Cipher cipher; try { cipher = Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + "/" + KeyProperties.BLOCK_MODE_CBC + "/" + KeyProperties.ENCRYPTION_PADDING_PKCS7); } catch (NoSuchAlgorithmException | NoSuchPaddingException e) { Log.e("EXAMPLE", "Failed to create a cipher."); throw new RuntimeException(e); } // generate secret key KeyGenerator keyGenerator; try { keyGenerator = KeyGenerator.getInstance( KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore"); } catch (NoSuchAlgorithmException | NoSuchProviderException e) { Log.e("EXAMPLE", "Failed to access the key generator."); throw new RuntimeException(e); } KeyGenParameterSpec keySpec = new KeyGenParameterSpec.Builder( "realm_key", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7) .setUserAuthenticationRequired(true) .setUserAuthenticationValidityDurationSeconds( AUTH_VALID_DURATION_IN_SECOND) .build(); try { keyGenerator.init(keySpec); } catch (InvalidAlgorithmParameterException e) { Log.e("EXAMPLE", "Failed to generate a secret key."); throw new RuntimeException(e); } keyGenerator.generateKey(); // access the generated key in the android keystore, then // use the cipher to create an encrypted version of the key byte[] initializationVector; byte[] encryptedKeyForRealm; try { SecretKey secretKey = (SecretKey) keyStore.getKey("realm_key", null); cipher.init(Cipher.ENCRYPT_MODE, secretKey); encryptedKeyForRealm = cipher.doFinal(realmKey); initializationVector = cipher.getIV(); } catch (InvalidKeyException | UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException | BadPaddingException | IllegalBlockSizeException e) { Log.e("EXAMPLE", "Failed encrypting the key with the secret key."); throw new RuntimeException(e); } // keep the encrypted key in shared preferences // to persist it across application runs byte[] initializationVectorAndEncryptedKey = new byte[Integer.BYTES + initializationVector.length + encryptedKeyForRealm.length]; ByteBuffer buffer = ByteBuffer.wrap(initializationVectorAndEncryptedKey); buffer.order(ByteOrder.BIG_ENDIAN); buffer.putInt(initializationVector.length); buffer.put(initializationVector); buffer.put(encryptedKeyForRealm); activity.getSharedPreferences("realm_key", Context.MODE_PRIVATE).edit() .putString("iv_and_encrypted_key", Base64.encodeToString(initializationVectorAndEncryptedKey, Base64.NO_WRAP)) .apply(); return realmKey; // pass to a realm configuration via encryptionKey() }
// Create a key to encrypt a realm and save it securely in the keystore fun getNewKey(): ByteArray { // open a connection to the android keystore val keyStore: KeyStore try { keyStore = KeyStore.getInstance("AndroidKeyStore") keyStore.load(null) } catch (e: Exception) { Log.v("EXAMPLE", "Failed to open the keystore.") throw RuntimeException(e) } // create a securely generated random asymmetric RSA key val realmKey = ByteArray(Realm.ENCRYPTION_KEY_LENGTH) SecureRandom().nextBytes(realmKey) // create a cipher that uses AES encryption -- we'll use this to encrypt our key val cipher: Cipher cipher = try { Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + "/" + KeyProperties.BLOCK_MODE_CBC + "/" + KeyProperties.ENCRYPTION_PADDING_PKCS7) } catch (e: Exception) { Log.e("EXAMPLE", "Failed to create a cipher.") throw RuntimeException(e) } // generate secret key val keyGenerator: KeyGenerator keyGenerator = try { KeyGenerator.getInstance( KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore") } catch (e: NoSuchAlgorithmException) { Log.e("EXAMPLE", "Failed to access the key generator.") throw RuntimeException(e) } val keySpec = KeyGenParameterSpec.Builder( "realm_key", KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7) .setUserAuthenticationRequired(true) .setUserAuthenticationValidityDurationSeconds( AUTH_VALID_DURATION_IN_SECOND) .build() try { keyGenerator.init(keySpec) } catch (e: InvalidAlgorithmParameterException) { Log.e("EXAMPLE", "Failed to generate a secret key.") throw RuntimeException(e) } keyGenerator.generateKey() // access the generated key in the android keystore, then // use the cipher to create an encrypted version of the key val initializationVector: ByteArray val encryptedKeyForRealm: ByteArray try { val secretKey = keyStore.getKey("realm_key", null) as SecretKey cipher.init(Cipher.ENCRYPT_MODE, secretKey) encryptedKeyForRealm = cipher.doFinal(realmKey) initializationVector = cipher.iv } catch (e: Exception) { Log.e("EXAMPLE", "Failed encrypting the key with the secret key.") throw RuntimeException(e) } // keep the encrypted key in shared preferences // to persist it across application runs val initializationVectorAndEncryptedKey = ByteArray(Integer.BYTES + initializationVector.size + encryptedKeyForRealm.size) val buffer = ByteBuffer.wrap(initializationVectorAndEncryptedKey) buffer.order(ByteOrder.BIG_ENDIAN) buffer.putInt(initializationVector.size) buffer.put(initializationVector) buffer.put(encryptedKeyForRealm) activity!!.getSharedPreferences("realm_key", Context.MODE_PRIVATE).edit() .putString("iv_and_encrypted_key", Base64.encodeToString(initializationVectorAndEncryptedKey, Base64.NO_WRAP)) .apply() return realmKey // pass to a realm configuration via encryptionKey() }
Acceder a una clave de cifrado existente
El siguiente código demuestra cómo acceder y descifrar una clave de cifrado almacenada de forma segura para un reino:
// Access the encrypted key in the keystore, decrypt it with the secret, // and use it to open and read from the realm again public byte[] getExistingKey() { // open a connection to the android keystore KeyStore keyStore; try { keyStore = KeyStore.getInstance("AndroidKeyStore"); keyStore.load(null); } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) { Log.e("EXAMPLE", "Failed to open the keystore."); throw new RuntimeException(e); } // access the encrypted key that's stored in shared preferences byte[] initializationVectorAndEncryptedKey = Base64.decode(activity .getSharedPreferences("realm_key", Context.MODE_PRIVATE) .getString("iv_and_encrypted_key", null), Base64.DEFAULT); ByteBuffer buffer = ByteBuffer.wrap(initializationVectorAndEncryptedKey); buffer.order(ByteOrder.BIG_ENDIAN); // extract the length of the initialization vector from the buffer int initializationVectorLength = buffer.getInt(); // extract the initialization vector based on that length byte[] initializationVector = new byte[initializationVectorLength]; buffer.get(initializationVector); // extract the encrypted key byte[] encryptedKey = new byte[initializationVectorAndEncryptedKey.length - Integer.BYTES - initializationVectorLength]; buffer.get(encryptedKey); // create a cipher that uses AES encryption to decrypt our key Cipher cipher; try { cipher = Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + "/" + KeyProperties.BLOCK_MODE_CBC + "/" + KeyProperties.ENCRYPTION_PADDING_PKCS7); } catch (NoSuchAlgorithmException | NoSuchPaddingException e) { Log.e("EXAMPLE", "Failed to create cipher."); throw new RuntimeException(e); } // decrypt the encrypted key with the secret key stored in the keystore byte[] decryptedKey; try { final SecretKey secretKey = (SecretKey) keyStore.getKey("realm_key", null); final IvParameterSpec initializationVectorSpec = new IvParameterSpec(initializationVector); cipher.init(Cipher.DECRYPT_MODE, secretKey, initializationVectorSpec); decryptedKey = cipher.doFinal(encryptedKey); } catch (InvalidKeyException e) { Log.e("EXAMPLE", "Failed to decrypt. Invalid key."); throw new RuntimeException(e); } catch (UnrecoverableKeyException | NoSuchAlgorithmException | BadPaddingException | KeyStoreException | IllegalBlockSizeException | InvalidAlgorithmParameterException e) { Log.e("EXAMPLE", "Failed to decrypt the encrypted realm key with the secret key."); throw new RuntimeException(e); } return decryptedKey; // pass to a realm configuration via encryptionKey() }
// Access the encrypted key in the keystore, decrypt it with the secret, // and use it to open and read from the realm again fun getExistingKey(): ByteArray { // open a connection to the android keystore val keyStore: KeyStore try { keyStore = KeyStore.getInstance("AndroidKeyStore") keyStore.load(null) } catch (e: Exception) { Log.e("EXAMPLE", "Failed to open the keystore.") throw RuntimeException(e) } // access the encrypted key that's stored in shared preferences val initializationVectorAndEncryptedKey = Base64.decode(activity ?.getSharedPreferences("realm_key", Context.MODE_PRIVATE) ?.getString("iv_and_encrypted_key", null), Base64.DEFAULT) val buffer = ByteBuffer.wrap(initializationVectorAndEncryptedKey) buffer.order(ByteOrder.BIG_ENDIAN) // extract the length of the initialization vector from the buffer val initializationVectorLength = buffer.int // extract the initialization vector based on that length val initializationVector = ByteArray(initializationVectorLength) buffer[initializationVector] // extract the encrypted key val encryptedKey = ByteArray(initializationVectorAndEncryptedKey.size - Integer.BYTES - initializationVectorLength) buffer[encryptedKey] // create a cipher that uses AES encryption to decrypt our key val cipher: Cipher cipher = try { Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + "/" + KeyProperties.BLOCK_MODE_CBC + "/" + KeyProperties.ENCRYPTION_PADDING_PKCS7) } catch (e: Exception) { Log.e("EXAMPLE", "Failed to create cipher.") throw RuntimeException(e) } // decrypt the encrypted key with the secret key stored in the keystore val decryptedKey: ByteArray decryptedKey = try { val secretKey = keyStore.getKey("realm_key", null) as SecretKey val initializationVectorSpec = IvParameterSpec(initializationVector) cipher.init(Cipher.DECRYPT_MODE, secretKey, initializationVectorSpec) cipher.doFinal(encryptedKey) } catch (e: InvalidKeyException) { Log.e("EXAMPLE", "Failed to decrypt. Invalid key.") throw RuntimeException(e) } catch (e: Exception ) { Log.e("EXAMPLE", "Failed to decrypt the encrypted realm key with the secret key.") throw RuntimeException(e) } return decryptedKey // pass to a realm configuration via encryptionKey() }
Abrir un reino cifrado
El siguiente código demuestra cómo abrir un realm cifrado con el método encryptionKey():
// use a new encryption key to write and read from a realm byte[] realmKey = getNewKey(); // use the key to configure a realm final SyncConfiguration realmConfig = new SyncConfiguration.Builder(user, PARTITION) .allowQueriesOnUiThread(true) .allowWritesOnUiThread(true) .encryptionKey(realmKey) .build(); // once we've used the key to generate a config, erase it in memory manually Arrays.fill(realmKey, (byte) 0); // open and write and read from the realm Realm encryptedRealm = Realm.getInstance(realmConfig); ObjectId id = new ObjectId(); encryptedRealm.executeTransaction(eR -> { eR.createObject(Frog.class, id); }); Frog frog = encryptedRealm.where(Frog.class).findFirst(); ObjectId written_id = frog.get_id(); Log.v("EXAMPLE", "generated id: " + id + ", written frog id: " + written_id); encryptedRealm.close(); // get the encryption key from the key store a second time byte[] decryptedKey = getExistingKey(); // configure a realm with the key final SyncConfiguration realmConfigDecrypt = new SyncConfiguration.Builder(user, PARTITION) .allowQueriesOnUiThread(true) .allowWritesOnUiThread(true) .encryptionKey(decryptedKey) .build(); // once we've used the key to generate a config, erase it in memory manually Arrays.fill(decryptedKey, (byte) 0); // note: realm is encrypted, this variable just demonstrates that we've // decrypted the contents with the key in memory Realm decryptedRealm = Realm.getInstance(realmConfigDecrypt); Frog frogDecrypt = decryptedRealm.where(Frog.class).findFirst(); Log.v("EXAMPLE", "generated id: " + id + ", decrypted written frog id: " + frogDecrypt.get_id()); decryptedRealm.close();
// use a new encryption key to write and read from a realm val realmKey = getNewKey() // use the key to configure a realm val realmConfig = SyncConfiguration.Builder(user, PARTITION) .allowQueriesOnUiThread(true) .allowWritesOnUiThread(true) .encryptionKey(realmKey) .build() // once we've used the key to generate a config, erase it in memory manually Arrays.fill(realmKey, 0.toByte()) // open and write and read from the realm val encryptedRealm = Realm.getInstance(realmConfig) val id = ObjectId() encryptedRealm.executeTransaction { eR: Realm -> eR.createObject(Frog::class.java, id) } val frog = encryptedRealm.where(Frog::class.java).findFirst() val written_id = frog!!._id Log.v("EXAMPLE", "generated id: " + id + ", written frog id: " + written_id) encryptedRealm.close() // get the encryption key from the key store a second time val decryptedKey = getExistingKey() // configure a realm with the key val realmConfigDecrypt = SyncConfiguration.Builder(user, PARTITION) .allowQueriesOnUiThread(true) .allowWritesOnUiThread(true) .encryptionKey(decryptedKey) .build() // once we've used the key to generate a config, erase it in memory manually Arrays.fill(decryptedKey, 0.toByte()) // note: realm is encrypted, this variable just demonstrates that we've // decrypted the contents with the key in memory val decryptedRealm = Realm.getInstance(realmConfigDecrypt) val frogDecrypt = decryptedRealm.where(Frog::class.java).findFirst() Log.v("EXAMPLE", "generated id: " + id + ", decrypted written frog id: " + frogDecrypt!!._id) decryptedRealm.close()