Re: RFE: Transparent encryption on all fields

In response to tomas(at)tuxteam(dot)de:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, Apr 23, 2009 at 01:31:39PM -0700, Marc Munro wrote:
>
> [...]
>
> > In principle it could be used in the way that Bill Moran suggests though
> > I have never used it that way. I am somewhat suspicious of passing
> > encryption keys to the database server as there is always the potential
> > for them to be leaked.
>
> Exactly.
>
> > It is generally much safer to keep keys and the
> > decryption process on a separate server.
>
> Or just client-side. Minimum spread of knowledge. Decrypting fields
> server-side gains us nothing which can't be achieved by encrypting the
> whole data partition (this would protect us against the server being
> stolen in a "shut down" state). And encrypting the partition gives us
> indexing "as usual", which wouldn't be as easy to achieve with encrypted
> fields.

Not true. If each user has their own key, it's considerably more
secure than encrypting the partition, since it protects from through-
application attacks as well as physically stolen hardware.

Also, putting the key on the client machine causes the client machine to
be an attack vector, and client machines are usually more numerous and
more difficult to secure than servers.

--
Bill Moran
http://www.potentialtech.com
http://people.collaborativefusion.com/~wmoran/