0

A third-party application states that TDE is used for encrypting the password database.

I don't know how appropriate this is for password storage as surely a decryption key still exists despite the fact that it is itself encrypted. The third-party state that internal staff do not have access to the passwords but I'm struggling to understand how that can be true as my understanding of encryption would not agree.

I've spent some time googling and whilst i understand the concept of TDE at a high-level, I am not convinced it's appropriate for storing customer passwords and claiming that no internal staff member can access these passwords.

Any comment or clarification would be much appreciated!

ellefc
  • 233
  • 2
  • 9
  • The "password database" is probably not password storage, it is a likely storage of a hashed version of the passwords. TDE doesn't really affect the security analysis of most aspects of the site. If the site was actually storing user passwords before TDE then TDE will **not** somehow make that OK. TDE *may* provide some protection against someone breaking in and getting external access to the site if, as you note, TDE keys are properly secured. It won't help against some breaking into the site through flaws in its software because they'll be inside the TDE cordon. – President James K. Polk Nov 05 '19 at 17:03
  • @ellefc - TDE does not provide access control to fields. You may want to look at column encryption for that. – Neil Weicher Nov 11 '19 at 11:39
  • @NeilWeicher Can't I use oracle key vault to encrypt a single column in my db – Muddassir Rahman Nov 20 '19 at 11:02
  • I regret to say that I am not familiar with Oracle or Oracle Key Vault. – Neil Weicher Nov 21 '19 at 11:10

0 Answers0