LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-13-2008, 12:56 PM   #1
Murdock1979
Member
 
Registered: Oct 2003
Distribution: Slackware Debian VectorLinux
Posts: 429
Blog Entries: 2

Rep: Reputation: 30
mysql encryption & security


Hello!

I am studying different options in order to encrypt mysql fields. I am wondering since even AES encrypting uses a passtring, what is the advantage of encryption, because once a database is compromised, the hacker will probably also have access to passtring as well?

Thanks,
Murdock1979

Last edited by Murdock1979; 01-13-2008 at 02:49 PM.
 
Old 01-15-2008, 05:08 PM   #2
zaichik
Member
 
Registered: May 2004
Location: Iowa USA
Distribution: CentOS
Posts: 419

Rep: Reputation: 30
You should perform the encryption in your application and store the encrypted data in the database. The encryption key and the plaintext version of the data will be stored in the replication logs, and might even end up in the error logs.
 
Old 01-15-2008, 05:30 PM   #3
Murdock1979
Member
 
Registered: Oct 2003
Distribution: Slackware Debian VectorLinux
Posts: 429

Original Poster
Blog Entries: 2

Rep: Reputation: 30
Thank you!

You do bring up a critical point, which I did not realize, is that mysql logs its modifications. If this is so, so then this makes my point even stronger - what is the advantage of encryption, if the entire sql command is logged?

If the application is running on a separate server, I'd assume that the mysql logs are stored on the mysql server and not the application server, thus further defeating the encryption.

Thanks,
Murdock
 
Old 01-16-2008, 07:38 AM   #4
zaichik
Member
 
Registered: May 2004
Location: Iowa USA
Distribution: CentOS
Posts: 419

Rep: Reputation: 30
Quote:
what is the advantage of encryption, if the entire sql command is logged?
A fair question, and one I can't answer. MySQL can do math, too, although the MySQL developers themselves will tell you that you shouldn't use it for a calculator.

If the application is on another server, that is all the more reason to have the application take care of encrypting it, lest the data be passed unencrypted over the link between the app server and the database server.
 
Old 01-18-2008, 11:12 AM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
How about encrypting the whole drive or drive slice where the SQL data resides? This, along with an encrypted communication channel (SSL or VPN), may provide some alternatives/workarounds for you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: mysql security LXer Syndicated Linux News 0 08-01-2006 06:21 PM
LXer: Mysql releases security patch LXer Syndicated Linux News 0 05-04-2006 05:33 PM
MYSQL paranoia security prohibits PHP to use database ? Dark Carnival Debian 1 01-08-2005 11:33 AM
mysql 3306 security sopiaz57 Linux - Security 8 03-07-2004 05:32 PM
MySQL Security RecoilUK Linux - Security 2 08-27-2001 10:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration