1

I need to securely encrypt data in my database so that if the database is dumped, hackers are unable to decrypt the data.

I'm planning on creating a simple key server on a different machine, and allowing the DB server access to it (restricted by IP address on the key server to permit the DB server). The key server would contain the key required to encrypt/decrypt data.

However, if a hacker were able to get a shell on the DB server, they could request the key from the key server and therefore decrypt the data in the database.

How could I prevent this (assuming all firewalls are in place, DB is not connected directly to the internet, etc)? i.e. is there some method I could use that could secure a request from the DB server to the key server so that even if a hacker had a shell on the DB server they'd be unable to make those same requests? Signed requests from the DB server could make issuing these requests less trivial - I suppose that'd help increase the amount of time it'd take to compromise the key server, something a hacker probably wouldn't have much of.

As far as I can see, if someone can get a shell on the DB server everything's lost anyway. This could be mitigated by using one key per data item in the DB so at least there's not a single "master" key, but multiple keys that the hacker would need to access.

What would be a secure method of ensuring requests from the DB server to the key server were authentic and could be trusted?

andy
  • 159
  • 1
  • 10
  • You may find this related question useful: [Web Application encryption key management](http://security.stackexchange.com/q/4755/11291) – Michael Hampton Sep 20 '12 at 10:17

1 Answers1

0

However, if a hacker were able to get a shell on the DB server, they could request the key from the key server and therefore decrypt the data in the database.

How could I prevent this[...]?

Basically, you never could, except you have been designing a system mitigating this type of attack from the very beginning. The current PC architecture does not allow for this kind of application. Efforts like the Next Generation Secure Computing Base have been designed to address a similar kind of task by restricting the ability to execute code paths to only the "necessary" ones.

End-to-end encryption, where encryption/decryption keys are managed by the clients and the database server has no knowledge of the keys at all, might present another option. Although not leaving the database server enough information to work with (like indexes) might significantly cut its ability to pre-process data and thus reduce its value for your application.

Community
  • 1
the-wabbit
  • 40,737
  • 13
  • 111
  • 174