Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Encryption inside database

Tags:

We would like to add additional layer of security to our database and we want to make sure that even if DB files will leak to public - noone will be able to reach the actual data inside it.

Additionaly we want to make sure that even if the encryption key will leak it will only allow to decrypt one or few rows, while others will still be inaccessible.

What are the best practices for doing that?

If it's important - we are using rails(5.1) + postgres(9.6) and our database is running in AWS RDS.

like image 959
Alex Keene Avatar asked Nov 26 '19 17:11

Alex Keene


People also ask

Can we encrypt data in database?

Like data, you can also encrypt the database. The database encryption process uses a specific algorithm to convert data into ciphertext. The main purpose of database encryption is to protect stored data. Therefore, if a hacker gets all the data, they won't be able to understand it.

What kind of encryption should be used within the database?

TDE Method: Transparent data encryption (TDE) executes encryption and decryption within the database engine itself. This method doesn't require code modification of the database or application and is easier for admins to manage.

What is encryption in DBMS?

Database encryption is the process of converting data, within a database, in plain text format into a meaningless cipher text by means of a suitable algorithm. Database decryption is converting the meaningless cipher text into the original information using keys generated by the encryption algorithms.


1 Answers

From the way your question is asked, you are simply not ready for this and heading for a world of pain if you try to tackle it. Again, applying a lot of inference, that you seem confused about where to start with this makes me think there are a lot of other security measures you have not put in place. Measures which might give you greater benefits for less cost and risk.

There are several different conventional models for applying encryption to data at rest. What you ask as additional requirements will require a tremendously complex application tier managing many, many encryption keys. Most experts would quake at the prospect of trying to implement this. Where are you going to store all the keys? What you've not asked is also very telling - what impact do you think opaque data has on query performance?

Yes, if your application sits in AWS there are different potential risks of direct file access than on a dedicated device - but you deal with that by using filesystem or block level encryption or the native capabilities of your DBMS (understanding what impact the latter has on your data access).

like image 103
symcbean Avatar answered Sep 29 '22 02:09

symcbean