0

I have a client who wants a web application that will be doing some transactions, I know the sensitive data like passwords, bank account details should be encrypted.

But he wants a profile for users that has sensitive data like date of birth, addresses, but if I over encrypt this data won't it have an effect on performance especially searching for example

SELECT * FROM PROFILE ( decrypt the data to display it).

Another scenario where I save transactional activities, sometimes a user can do a bank transfer on the fly which means the bank account number is not stored in our database but will be stored in transactions table. Do I have to encrypt this bank account while saving it in recent transactions table? If yes, won't I have performance issues when retrieving data from this table later on.

CDspace
  • 2,639
  • 18
  • 30
  • 36
lebron Brian
  • 5
  • 1
  • 1
  • If you encrypt your query criteria before they become a part of your MySQL query, matching what you've inserted in encrypted form, performance will be fine with any exact string comparisons, strings are strings. You won't be able to use comparison operators other than `=` in any sensible way though, unless you decrypt on the fly, which means your decryption algo needs to be in your SQL query. For such queries, you won't be able to use indexes. – Markus AO Jan 28 '22 at 19:20
  • Also see: [What's the best way to store and yet still index encrypted customer data?](https://stackoverflow.com/questions/4961603/whats-the-best-way-to-store-and-yet-still-index-encrypted-customer-data) – Markus AO Jan 28 '22 at 19:25
  • GDPR in correlation with ePrivacy Regulation, CCPA, etc, etc can bring you a lot of headache. Better do not decide on such things and implement encryption/pseudonymization of all personal information by default. Just measure impact on performance and let your client decide, because it should not be your responsibility. All IMHO – leftjoin Jan 28 '22 at 19:31
  • Usually security impedes the performance. There is a tradeoff between performance and security. The more security hardening of an application the more checks will be involved. Usually you have to do this. 1. Identify items to be stored as encrypted. E.g personal identifiable information including dob, address, ssn, any info that can identify the entity. 2. Make a translation class for saving encrypted data and retrieving data , decrypt accordingly 3. Host your application on https based web server. 4. See PCIDSS AND GDPR. – bilalhaider Jan 28 '22 at 20:11

0 Answers0