Encryption Software Application

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Encryption Software Application

Post by flying_circus »

Consider me completely new to encryption applications I have always avoided disk encryption utilities because I know that if I get a virus, I can't pull the drive and retrieve my files (perhaps this is my ignorance showing? I'm sure it is.). To be honest, I try not to keep sensitive data anyways.... Long story short, I have some customers that have asked me to keep their credit card numbers on file.

Ideally I need some type of a program that would store sensitive data in an encrypted file or database, but a quick google turned up "True Crypt" which says it can do a virtual encrypted disk. This would seem like an easy solution?

What are you using, and would you be willing to share why you like it? I'd appreciate any other tips on whats out there and available. My only experience in windows has been withh windows EFS and repeated annoying balloon notifications telling me to backup my key. Surely there's a better way.

My work computers are primarily Windows, but I also run Ubuntu as well. A solution that could be used on both platforms might be the best way to go.
André D
Forum Commoner
Posts: 55
Joined: Thu Aug 28, 2008 7:03 pm

Re: Encryption Software Application

Post by André D »

This isn't necessarily an answer to your question, but you should be aware of the Payment Card Industry Data Security Standard (PCI DSS):
http://en.wikipedia.org/wiki/PCI_DSS
https://www.pcisecuritystandards.org/se ... tarted.php
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Encryption Software Application

Post by flying_circus »

André D wrote:This isn't necessarily an answer to your question, but you should be aware of the Payment Card Industry Data Security Standard (PCI DSS):
http://en.wikipedia.org/wiki/PCI_DSS
https://www.pcisecuritystandards.org/se ... tarted.php
Hmm I hadn't given any thought to the PCI DSS standards, though I guess they would apply.

A typical scenario would be a customer calling to pay an invoice and they give me (or a co-worker) their credit card info. Typically it gets written on a yellow sticky note until the card is processed (manually), and then the sticky note is run through the paper shredder. We don't accept payment on our website, but it has happened in the past where an out of country customer has emailed their payment info, which makes me uncomfortable, for them, just thinking about it.

I'm sure anyone who takes security seriously is cringing right now, but that's how small businesses do it. I'm trying to improve it a little :?

I think I might give truecrypt a try unless anyone has a more educated opinion than I do.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Encryption Software Application

Post by Apollo »

flying_circus wrote:Ideally I need some type of a program that would store sensitive data in an encrypted file or database, but a quick google turned up "True Crypt" which says it can do a virtual encrypted disk. This would seem like an easy solution?
Correct. I've been using TrueCrypt myself for years and I can HIGHLY recommend it. It can create 'container files' which contain an encrypted virtual drive, but it can also encrypt entire partitions, including your system / boot drive (in that case you have to enter a password before booting windows/linux/whatever).

It works absolutely great, it's fast, secure, user friendly, extremely reliable, easy, and very convenient (besides entering a password I don't even notice it's there). I never had any trouble with drives becoming inaccessible or anything (*see below). But even in case of viruses or whatever, you could always attach the disk to another machine and mount it with TrueCrypt (to get access to your files without executing anything).

* this shouldn't be a point of concern in the first place, because if you're storing such important data, you should have backups anyway (preferably automated, every day). Not on the same drive of course, I mean remote backups (stored on an external drive or server), also encrypted of course. Harddrives can crash, break down and fail on you any day, you know :)
Always consider this: if your harddrive crashes RIGHT NOW and becomes completely inaccessible, not a single byte can be recovered, how screwed will you be? Take care of that first :)
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Encryption Software Application

Post by flying_circus »

Thanks for the response. It sounds like the container file is exactly what I am looking for.

I'm not as concerned with a drive failure/data loss, especially with sensitive data. I'd sooner call my customer and ask for their info again, rather than to call and explain why they should call their bank. All of my "work" stuff is backed up. If I did lose a drive, I'd be upset, but not screwed. I've been using microsoft windows since 3.1, so I've gotten in the habit of having backups in anticipation of the annual reformat. I have about a dozen unmarked hard drives scattered around the office with a directory called "backup", each a different snap shot in time.... Yeah, I would be upset, it would be rebuildable but I should be more organized with my backups.

Thanks again :)
Post Reply