Encryption key server that can be used by MySQL or PHP?

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Encryption key server that can be used by MySQL or PHP?

Post by mecha_godzilla »

This question may be more related to Linux than MySQL but I'd appreciate any input from either side:

Can anyone give me some advice as to how easy/difficult it might be to set up an external encryption key server to work with MySQL, either on the same server or a different one. I should point out that while I'm not a l33t 4dm!n I do occasionally type a few commands into Linux every so often and know why "rm /bin/bash" is the smart way to logout...

My intention is to do cell-level rather than transparent (disk-based) encryption and I found some details about a system called ezNcrypt which would sort of do what I want but I'd like to explore what open source/free solutions are available first. For those that haven't heard of it, ezNcrypt is a proprietary 'layer' that sits between MySQL's storage engine and Linux's ecryptfs system and is also able to handle encryption key management automatically - this is done by making a secure connection to the company's own server and the authentication takes place each time MySQL is started, with the keys held in memory.

What I don't like about this approach is that the system is proprietary, the keys are held on a third-party's server and also the all-or-nothing nature of the transparent encryption. Given the wide range of Linux server software available, it would seem sensible that there must be an application that can handle the key management part of the equation, so it's a case of does one exist and if so could I get it work with MySQL. Alternatively, is this completely the wrong approach? Is making the keys available to MySQL non-trivial? Should I do all the encryption/decryption in my (PHP) application instead rather than at the database level, and how easy would it be to securely pass keys to the PHP module?

I appreciate that's a lot of questions but any help would be greatly appreciated :)

Mecha Godzilla
hacosta
Forum Newbie
Posts: 1
Joined: Mon May 03, 2010 10:45 am

Re: Encryption key server that can be used by MySQL or PHP?

Post by hacosta »

Yes, the keys are held on a third party server, but they are transferred using a secure connection at all times (and the key is only transferred when the service is started, so the connection time is minimal). If this connection to critotech's remote servers worry you, they do offer other alternatives, like hosting your own Key Server or storing the encrypted MySQL key on your own disk (which is a bit less secure but a good starting point) EzNcrypt does other things as well, it protects database file from the preying eyes of all users (including root) while still allowing a transparent DB connection, it also allows for table based encryption, which allows you to encrypt only the data you need. Encrypting data using ezNcrypt protects data at file-system level this keeps the data secure long before the queries are even made (although you do have to protect your data in-transit, but MySQL offers a simple solution for this). Hope this clears up any doubts.
Post Reply