AES encryption is weak because it is too easy for the hacker to get the passphrase.
If you can somehow hide the passphrase behind 'root', you can at least prevent a non-sudo
user from seeing the data. Your web server starts as root, then degrades itself before
taking requests. If it can grab the passphrase before that, it can keep it in RAM for
use, but not otherwise expose it.
Bottom line: The problem (of protecting data from hacker/thief/etc) cannot be solved by
just MySQL. (And perhaps MySQL is not even part of the solution.)
> -----Original Message-----
> From: Mike Franon [mailto:kongfranon@stripped]
> Sent: Tuesday, February 05, 2013 6:43 AM
> To: Reindl Harald
> Cc: mysql@stripped
> Subject: Re: file level encryption on mysql
> Which is the best way ?
> I see you can do it from PHP itself
> or can use mysql AES?
> From what I understand we need two way and one way encryption. Is the
> best way what the first article is recommending?
> On Tue, Feb 5, 2013 at 9:20 AM, Reindl Harald <h.reindl@stripped>
> > you have to encrypt them in the application and make the key stored
> > safe as possible, however for a full intrution there is no way to
> > protect data which can not be only hashed
> > somewhere you need the information how to encrypt them
> > Am 05.02.2013 15:18, schrieb Mike Franon:
> >> I tried all these methods and you are right this is not going to
> work for us.
> >> I am not a developer, does anyone have any good links or reference
> >> the best way I can share with my developers on best way to encrypt
> >> and decrypt personal user info.
> >> We do not store credit cards, but want to store 3 tables that have
> >> email address, ip address, and personal info.
> >> On Sun, Feb 3, 2013 at 12:57 PM, Reindl Harald
> <h.reindl@stripped> wrote:
> >>> Am 03.02.2013 18:52, schrieb Mike Franon:
> >>>> Hi,
> >>>> I was wondering what type of encryption for linux would you
> >>>> recommend to encrypt the database files on the OS level? I had a
> >>>> hard time starting the database after I moved it to a partiton
> >>>> encryptFS
> >>>> I only need 3 tables encrypted and know it is better to do it from
> >>>> the application, but unfortunately that cannot happen for a while.
> >>>> Has anyone done OS file level encryption, and if so which one did
> they use?
> >>> https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS
> >>> but this all is useless in case of intrusion because the FS is
> >>> unlocked and you have no gain - FS encryption only matters if your
> >>> notebook or disks get stolen which is unlikely on a server
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql