Web lists-archives.com

Re: can I just encrypt tables? what about the app?




Hi Reindl,

On 2/29/2016 2:16 PM, Reindl Harald wrote:


Am 29.02.2016 um 20:07 schrieb Jesper Wisborg Krogh:
Hi Lejeczek,

On 1/03/2016 00:31, lejeczek wrote:
hi everybody

a novice type of question - having a php + mysql, can one just encrypt
(internally in mysql) tables and php will be fine?
If not, would it be easy to re-code php to work with this new,
internal encryption?

Starting with MysQL 5.7.11, there is transparent data encryption (TDE)
for InnoDB tables. If you use that, it is as the name suggest
transparent for PHP. See also:
https://dev.mysql.com/doc/refman/5.7/en/innodb-tablespace-encryption.html

i still don't grok a usecase for such encryption because when a
webserver got compromised you have the same access as before, just
solwer with more overhead in general

what is the purpose of encryption on that layer?



Some process requirements state that some data should never be stored on disk in plain text. This is one way to meet those requirements.

Some data has been compromised not by cracking the primary database but by breaking into a server containing backups of the data. This new feature allows file-level backups (like those generated by MySQL Enterprise Backup) to be secure.

What that feature achieves is that the data will be encrypted at rest, not just in flight (using SSL).

Clearly, this does not defeat an attacker who is able to compromise or become an authenticated client who is normally allowed to read that data. To fix that problem, you must employ application-level encryption which encodes the data actually stored on the table. Clearly this last type of encryption breaks the database server's ability to index the data as the server would have no key to decrypt the content of the fields to build any normal (clear-content) indexes on it. It would only be able to index the encrypted (opaque) data. The clients would need to code their queries with WHERE clauses looking for the exact encrypted values they wanted to find.

--
Shawn Green
MySQL Senior Principal Technical Support Engineer
Oracle USA, Inc. - Integrated Cloud Applications & Platform Services
Office: Blountville, TN

Become certified in MySQL! Visit https://www.mysql.com/certification/ for details.

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/mysql