If your client is that paranoid, you could always set up a separate internal
LAN with no connection to the outside world. That's what my previous
company did.
----- Original Message -----
From: "Sergei Golubchik" <[EMAIL PROTECTED]>
To: "msquared" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, February 01, 2001 20:39
Subject: Re: Database/table encryption
> Hi!
>
> On Feb 01, Tõnu Samuel wrote:
> > msquared wrote:
> > >
> > > I'm working for a company that has a paranoid client, and the client
wants
> > > their database to be 'secure'.
> > >
> > > By 'secure' they mean that even if someone gains root access on the
> > > server, the data in the database can't be compromised (obtained).
> > >
> > > I can think of a couple of ways to do this, but I don't know if
they're
> > > practical.
> > >
> > > The first is to have MySQL store the tables and such in an encrypted
> > > fashion, at the file layer.
> > >
> > > Can anyone else offer any alternative suggestions, or some guidance?
> > >
> >
> > Most standard way is prorably having encrypted filesystems support in
> > kernel (http://www.linuxi.org) and then having MySQL databases on it. I
> > do not believe into too big security when intruder already have root but
> > encryption will anyway help.
> >
>
> A note about too big security:
>
> If they want MySQL to send decrypted data to client, then
> intruder (having root) would be able to read them from memory anyway.
>
> If they want the client to handle the encryption, there's no
> need for encrypted filesystem - all the crypto is done by
> client.
>
> Not that I wanted to say that encrypted filesystem is useless... :-)
> Reading decrypted data from memory is more complex task indeed.
>
> Just one has to know the limitations of his solution.
>
> > --
> > MySQL Development Team
> > __ ___ ___ ____ __
> > / |/ /_ __/ __/ __ \/ / Tonu Samuel <[EMAIL PROTECTED]>
> > / /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
> > /_/ /_/\_, /___/\___\_\___/ Tallinn, Estonia
> > <___/
>
> Regards,
> Sergei
>
> --
> MySQL Development Team
> __ ___ ___ ____ __
> / |/ /_ __/ __/ __ \/ / Sergei Golubchik <[EMAIL PROTECTED]>
> / /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
> /_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany
> <___/
>
> ---------------------------------------------------------------------
> Before posting, please check:
> http://www.mysql.com/manual.php (the manual)
> http://lists.mysql.com/ (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
<[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php