From: Rick James Date: February 5 2013 5:18pm Subject: RE: file level encryption on mysql List-Archive: http://lists.mysql.com/mysql/228934 Message-Id: <582AFBFC517D194489EF570FE21694CF1360CB9C@GQ1-EX10-MB03.y.corp.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable AES encryption is weak because it is too easy for the hacker to get the pas= sphrase. If you can somehow hide the passphrase behind 'root', you can at least prev= ent a non-sudo user from seeing the data. Your web server starts as root, = then degrades itself before taking requests. If it can grab the passphrase= before that, it can keep it in RAM for use, but not otherwise expose it. Bottom line: The problem (of protecting data from hacker/thief/etc) cannot= be solved by just MySQL. (And perhaps MySQL is not even part of the solut= ion.) > -----Original Message----- > From: Mike Franon [mailto:kongfranon@stripped] > Sent: Tuesday, February 05, 2013 6:43 AM > To: Reindl Harald > Cc: mysql@stripped > Subject: Re: file level encryption on mysql >=20 > Which is the best way ? >=20 > I see you can do it from PHP itself >=20 > http://coding.smashingmagazine.com/2012/05/20/replicating-mysql-aes- > encryption-methods-with-php/ >=20 >=20 > or can use mysql AES? >=20 > http://security.stackexchange.com/questions/16473/how-do-i-protect- > user-data-at-rest >=20 > From what I understand we need two way and one way encryption. Is the > best way what the first article is recommending? >=20 >=20 >=20 > On Tue, Feb 5, 2013 at 9:20 AM, Reindl Harald > wrote: > > you have to encrypt them in the application and make the key stored > as > > safe as possible, however for a full intrution there is no way to > > protect data which can not be only hashed > > > > somewhere you need the information how to encrypt them > > > > Am 05.02.2013 15:18, schrieb Mike Franon: > >> I tried all these methods and you are right this is not going to > work for us. > >> > >> I am not a developer, does anyone have any good links or reference > to > >> the best way I can share with my developers on best way to encrypt > >> and decrypt personal user info. > >> > >> We do not store credit cards, but want to store 3 tables that have > >> email address, ip address, and personal info. > >> > >> On Sun, Feb 3, 2013 at 12:57 PM, Reindl Harald > wrote: > >>> > >>> > >>> Am 03.02.2013 18:52, schrieb Mike Franon: > >>>> Hi, > >>>> > >>>> I was wondering what type of encryption for linux would you > >>>> recommend to encrypt the database files on the OS level? I had a > >>>> hard time starting the database after I moved it to a partiton > with > >>>> encryptFS > >>>> > >>>> I only need 3 tables encrypted and know it is better to do it from > >>>> the application, but unfortunately that cannot happen for a while. > >>>> > >>>> Has anyone done OS file level encryption, and if so which one did > they use? > >>> > >>> https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS > >>> > >>> but this all is useless in case of intrusion because the FS is > >>> unlocked and you have no gain - FS encryption only matters if your > >>> notebook or disks get stolen which is unlikely on a server > > >=20 > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/mysql