Databunker intro
Personal data leaks in 2021 happen every day. The Databunker product was born to address exactly this problem. The Databunker was built to prevent sensitive record exposure via SQL injection and unfiltered GraphQL queries. The product provides an alternative solution to false database encryption for personal and sensitive records. In addition, our product is fully GDPR compliant.
Let’s take a look at the data leaks. Some require a sophisticated attack to gain shell access to the servers and then to the database. Some data leaks happen over the web using SQL injection vulnerabilities in the web apps. As a result of an SQL Injection attack, the attacker will extract personal data of all your users in cleartext from the database.
Regarding database encryption, let’s face the truth. Most of the solutions provide a fake sense of security. Data is encrypted on the storage or disk level.
In case, your website has an SQL injection, the bad actor will get your data in cleartext.
Solution with Databunker
Instead of talking with Databunker using SQL, your backend will have to call an API function to retrieve specific user details. It is similar to the API of any NoSQL database. You can only lookup user records if you know his email address, phone number or a unique token id.
By default, Databunker does not allow to enumerate user records. This API call is disabled by default. Databunker encrypts customer records and builds a secure search index for quick user lookup (i.e. using email, token, etc…).
Saving your sensitive records in Databunker complies with pseudonymization as a valid solution to store customer data as defined by GDPR.
1. Databunker setup
The easiest way to get started with Databunker is to run it as a Docker container:
docker run -p 3000:3000 -d --rm --name dbunker securitybunker/databunker demo
This command starts a local container with a DEMO
root access key. You can use it for the development or testing. For a production installation, follow this installation guide.
Connecting to Databunker
You can interact with Databunker using:
- Web Console listening on port
3000
: localhost:3000 - REST API listening on port
3000
: localhost:3000
2. Move your user records to Databunker
If you want to use Databunker in your existing project you need to move customer data to Databunker and adapt your database schema to use usertoken
.
Original database schema
Let’s take the following database schema as a source and convert it to use Databunker.
Method 1: simple database reorganization
Using this method will require you to modify only the users
table. You will need to remove all personal data columns from the users
table and leave it only with original userid
/id
and add usertoken
. The usertoken
' column will point to the user record UUID generated by Databunker.
Advantages of this method
This method is good if you have a userid
column linked from many tables or you have a very big database. Running the “alter table
” command can take a lot of time to update your database structure.
Disadvantages of this method
One drawback here is that for each user you now have two identities. One userid
and another usertoken
.
Method 2: full database reorganization
You will have to go all over tables that have userid
and add usertoken
column instead. The usertoken
is user identity in UUID format generated by Databunker.
This method will require more work both on your database level and on your application code.
3. Some usefull Databunker commands
Create a user record
curl -s http://localhost:3000/v1/user -X POST -H "X-Bunker-Token: DEMO" \
-H "Content-Type: application/json" \
-d '{"first":"John","last":"Doe","login":"john","phone":"4444","email":"user@gmail.com"}'
Fetch user record by email
curl -s -H "X-Bunker-Token: DEMO" -X GET http://localhost:3000/v1/user/email/user@gmail.com
Fetch user record by login
curl -s -H "X-Bunker-Token: DEMO" -X GET http://localhost:3000/v1/user/login/john
Other commands:
For a full list of commands, follow the API document.
4. Node.js examples
-
Node.js example implementing passwordless login using Databunker: https://github.com/securitybunker/databunker-nodejs-passwordless-login
-
Node.js example with Passport.js, Magic.Link and Databunker: https://github.com/securitybunker/databunker-nodejs-example
-
Secure Session Storage for Node.js apps: https://databunker.org/use-case/secure-session-storage/#databunker-support-for-nodejs
Node.js modules
-
@databunker/store
from https://github.com/securitybunker/databunker-store -
@databunker/session-store
from https://github.com/securitybunker/databunker-session-store