Page 1 of 1

Encryption key server that can be used by MySQL or PHP?

Posted: Sat May 01, 2010 6:08 pm
by mecha_godzilla
This question may be more related to Linux than MySQL but I'd appreciate any input from either side:

Can anyone give me some advice as to how easy/difficult it might be to set up an external encryption key server to work with MySQL, either on the same server or a different one. I should point out that while I'm not a l33t 4dm!n I do occasionally type a few commands into Linux every so often and know why "rm /bin/bash" is the smart way to logout...

My intention is to do cell-level rather than transparent (disk-based) encryption and I found some details about a system called ezNcrypt which would sort of do what I want but I'd like to explore what open source/free solutions are available first. For those that haven't heard of it, ezNcrypt is a proprietary 'layer' that sits between MySQL's storage engine and Linux's ecryptfs system and is also able to handle encryption key management automatically - this is done by making a secure connection to the company's own server and the authentication takes place each time MySQL is started, with the keys held in memory.

What I don't like about this approach is that the system is proprietary, the keys are held on a third-party's server and also the all-or-nothing nature of the transparent encryption. Given the wide range of Linux server software available, it would seem sensible that there must be an application that can handle the key management part of the equation, so it's a case of does one exist and if so could I get it work with MySQL. Alternatively, is this completely the wrong approach? Is making the keys available to MySQL non-trivial? Should I do all the encryption/decryption in my (PHP) application instead rather than at the database level, and how easy would it be to securely pass keys to the PHP module?

I appreciate that's a lot of questions but any help would be greatly appreciated :)

Mecha Godzilla

Re: Encryption key server that can be used by MySQL or PHP?

Posted: Tue May 11, 2010 12:54 am
by hacosta
Yes, the keys are held on a third party server, but they are transferred using a secure connection at all times (and the key is only transferred when the service is started, so the connection time is minimal). If this connection to critotech's remote servers worry you, they do offer other alternatives, like hosting your own Key Server or storing the encrypted MySQL key on your own disk (which is a bit less secure but a good starting point) EzNcrypt does other things as well, it protects database file from the preying eyes of all users (including root) while still allowing a transparent DB connection, it also allows for table based encryption, which allows you to encrypt only the data you need. Encrypting data using ezNcrypt protects data at file-system level this keeps the data secure long before the queries are even made (although you do have to protect your data in-transit, but MySQL offers a simple solution for this). Hope this clears up any doubts.