
Ask HN: Protecting database information? - tixocloud
Hi,<p>What&#x27;s the best way to protect information in a database? The information should be readable from a web application but assuming the database gets hacked, the information should be safe.<p>An idea I had was to cipher information before inserting into the database but I guess all an attacker needs is the key in order to unlock it.<p>I&#x27;m not great with security so I&#x27;m hoping you folks on HN would have some ideas.
======
coo1k
Disclaimer: I am far from a security expert.

If your website is used by authenticated users i.e. requiring username
password to login, then you could use their password to encrypt relevant data
and decrypt it in runtime when the user logs in. However make sure you destroy
the password and decrypted information from memory after user logs out or
after a certain timeout, whichever is earlier.

Since now you are not storing keys on your server, attacker wont be able to
decrypt sensitive information even if he gains administrative access to your
server. Each user will be holding key in form of his password. The attacker
will have to get password of each user.

Use https so that the attacker wont be able to sniff out password of the user.

Downside: 1\. Forgot password functionality will be hard to implement 2\. If
users try to login to your application after attacker gains access to it,
attacker will come to know of the password and use it to decrypt information
pertaining to that user. 3\. Even you won't be able to see the information
since you won't have the decryption key.

~~~
tixocloud
Thanks. That's a very interesting idea - I like it since users can't access
each others' information.

Now I'll just have to think about handling the "Forgot Password"
functionality. I'm not sure for #3 if I do need to see the information
although I worry that my users would be using it for nefarious purposes.

~~~
coo1k
There is a way to get around #3 although inefficient. Everytime information is
posted by your users you can create 2 copies of encrypted information. One
with users password for them to view. The other would be using your key, but
you cant simply use password for encrypting your copy, that would be insecure
since you need to store your password on server. Instead you can use
asymmetric encryption such that you can use your public key to encrypt the
information. Then you can use your private key to login to you website and
view all information.

~~~
tixocloud
Basically my database will always be 2X?

Curious but given that WhatApp recently encrypts messaging end-to-end, does
this mean that even they can't view the information? Does this mean WhatsApp
would have no way of detecting if it's application is being used for
organizing illegal activity?

~~~
coo1k
OR you could encrypt user password with your public key. Then when you login,
you can decrypt user password with your private key. Then go on decrypting
user information with that password. This way you won't have to make copy of
information posted by users and still will be able to view it with admin
login.

~~~
zimpenfish
Doesn't that mean anyone who captures the "admin" private key has full access
to the database?

~~~
coo1k
Yes, but since the key resides with admin and not on server, I am assuming the
private key will be stored securely.

------
zimpenfish
I think it was on here that someone recommended this -

[http://www.wayner.org/node/46](http://www.wayner.org/node/46)

> Translucent databases provide better, deeper protection by scrambling the
> data with encryption algorithms. The solutions use the minimal amount of
> encryption to ensure that the database is still functional. In the best
> applications, the personal and sensitive information is protected but the
> database still delivers the information.

(Disclaimer: I haven't read it yet)

