Re: Database Encryption (now required by law in Italy)

On Fri, 5 Mar 2004, Silvana Di Martino wrote:

> Alle 19:38, venerdì 5 marzo 2004, scott.marlowe ha scritto:
> > > Unfortunately, the new Italian law forces us to take seriously into
> > > account this catastrophic scenario and another one that is almost as
> > > worring: an unfaithful SysAdmin that copies your data and sells them to
> > > KGB. So, database encryption (and not disk encryption) is the _only_
> > > answer.
> >
> > the only way for this to work is for it to be a "two key system" like the
> > military uses for missile launch.
> >
> > One sysadmin as the "key" to the database box, but the data is encrypted
> > before being sent to the database box on another system with another admin
> > with another "key". Preferably these two would never interact or know
> > each other.
>
> Well, this is not necessarly true. Data maintainers and SysAdmin performs
> different tasks (accordingly to italian law):
> - SysAdmins take care of the hardware and of the software. They should never
> need to access data. They just need to access the RDBMS software and its
> configuration.
> - Just Data Maintainers need to access data.
> This should allow us to have two password for two different tasks. So, there
> is not any need to use the military scheme to enforce data security.

Sorry, but that's the wrong answer. Once someone has root on a unix box
her can do ANYTHING he wants. and he can cover his tracks. If the
encryption takes place on his box, he can attach to the process doing the
encryption and /or replace it with a trojan copy of his own and get your
data. The ONLY way to keep the data secure is for it to be encrypted
elsewhere before it gets to the storage box. If the box that stores it
encrypts, it, the root user on that box can impersonate anyone and any
process on that box to get to the data in mid stream.