Thomas, It would be more secure if you has the DB on another server that was locked down and only allowed access to the web server on the MySql port, (plus probably ssh access for admin).
If you're going to the expense of audits, this must be fairly important, so the cost of the other server would not be too significant? Best regards, Andy > -----Original Message----- > From: Curley, Thomas [mailto:[EMAIL PROTECTED] > Sent: 26 November 2003 13:22 > To: [EMAIL PROTECTED] > Subject: RE: Security Question > Importance: High > > > thanks for reply - the requirement comes from a security audit - > so try to think in terms of a hacker > > Obviously and (I had assumed) > 1. - the files would have tight unix security file permissions applied > 2. - indeed the key would be stored on an internal tightly > managed box (or device) > > Another Assumption > ------------------ > Encrypting / decrypting all data on the fly would be too > expensive and grind the app to a halt > > So the question again :- > > Any ideas on how to avoid having data files stored with > absolutely no protection against copying ???? > > > If there is no solution to this then MySql should not be used on > internet accessible boxes for dynamic web sites > > > Thomas > > > > > > > -----Original Message----- > From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] > Sent: 26 November 2003 12:51 > To: Curley, Thomas > Cc: [EMAIL PROTECTED] > Subject: Re: Security Question > > > Thomas, > > >I am trying to find a solution to the following security issue > with MySql DB on linux > > > >- Someone copies the DB files to another box, starts a mysql > instance, loads the DB and presto - views the 'private' data !!! > > > > > Well, "someone" should not have access rights to the DB files on the > first hand. > > >Ideally I would like to know if there is any option in MySql to > store the DB files in a secure format and one that needs a key or > similiar to open the DB > > > > > If someone was able to access your DB files, he would probably also be > able to access that key (that you must store _somewhere_), wouldn't he? > > - Csongor > > > ****************************************************************** > *************************** > This email and any attachments are confidential and intended for > the sole use of the intended recipient(s).If you receive this > email in error please notify [EMAIL PROTECTED] and delete > it from your system. Any unauthorized dissemination, > retransmission, or copying of this email and any attachments is > prohibited. Euroconex does not accept any responsibility for any > breach of confidence, which may arise from the use of email. > Please note that any views or opinions presented in this email > are solely those of the author and do not necessarily represent > those of the Company. This message has been scanned for known > computer viruses. > ****************************************************************** > *************************** > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: > http://lists.mysql.com/[EMAIL PROTECTED] > > -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
