Can anyone give me some advice as to how easy/difficult it might be to set up an external encryption key server to work with MySQL, either on the same server or a different one. I should point out that while I'm not a l33t 4dm!n I do occasionally type a few commands into Linux every so often and know why "rm /bin/bash" is the smart way to logout...
My intention is to do cell-level rather than transparent (disk-based) encryption and I found some details about a system called ezNcrypt which would sort of do what I want but I'd like to explore what open source/free solutions are available first. For those that haven't heard of it, ezNcrypt is a proprietary 'layer' that sits between MySQL's storage engine and Linux's ecryptfs system and is also able to handle encryption key management automatically - this is done by making a secure connection to the company's own server and the authentication takes place each time MySQL is started, with the keys held in memory.
What I don't like about this approach is that the system is proprietary, the keys are held on a third-party's server and also the all-or-nothing nature of the transparent encryption. Given the wide range of Linux server software available, it would seem sensible that there must be an application that can handle the key management part of the equation, so it's a case of does one exist and if so could I get it work with MySQL. Alternatively, is this completely the wrong approach? Is making the keys available to MySQL non-trivial? Should I do all the encryption/decryption in my (PHP) application instead rather than at the database level, and how easy would it be to securely pass keys to the PHP module?
I appreciate that's a lot of questions but any help would be greatly appreciated
Mecha Godzilla