Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best Way to Encrypt Customer Information in My Company's MySQL DB? [closed]

People also ask

How do I encrypt an entire MySQL database?

To enable encryption for the mysql system tablespace, specify the tablespace name and the ENCRYPTION option in an ALTER TABLESPACE statement. mysql> ALTER TABLESPACE mysql ENCRYPTION = 'Y'; To disable encryption for the mysql system tablespace, set ENCRYPTION = 'N' using an ALTER TABLESPACE statement.

Does MySQL encrypt data-at-rest?

MySQL Enterprise TDE enables data-at-rest encryption by encrypting the physical files of the database. Data is encrypted automatically, in real time, prior to writing to storage and decrypted when read from storage.

What is the best method of applying encryption to the sensitive data without any downtime?

Symmetric Encryption uses OpenSSL to encrypt and decrypt the data which means we are able to use any of the algorithms supported by OpenSSL. We used aes-256-cbc which is also the recommended default algorithm.

Is MySQL client encrypted?

MySQL supports encrypted connections between clients and the server using the TLS (Transport Layer Security) protocol. TLS is sometimes referred to as SSL (Secure Sockets Layer) but MySQL does not actually use the SSL protocol for encrypted connections because its encryption is weak (see Section 6.3.


There is a very good writeup on how to do this with MySQL here: http://thinkdiff.net/mysql/encrypt-mysql-data-using-aes-techniques/.

You'll want to use AES with 256bit keys, as that is the prevailing best-practice/standard right now. 256bit AES keys are considered to be of sufficient size to be secure against modern computing power.

It's a good idea, regardless of if you think it's overkill or not, to encrypt your database. Even if the data isn't horribly sensitive, the loss of customer records can be very embarrassing to your company, at the very least, and could adversely affect customer confidence and people's willingness to hand over their data in the future. Encrypting the full contents of your database may not be industry-standard right now but trends are moving that way and it cannot hurt you to adopt a stronger security posture. If nothing else, think of it as another entry in your Defense-In-Depth implementation.

I would also recommend you check this article out - http://www.symantec.com/connect/articles/secure-mysql-database-design - as it provides a good, fairly basic, introduction to secure database system design that should give you some pointers on other things to check for your application.