I'm trying to think of a way to to store personal data in a MySQL database, which is accessed through a PHP application, and allows multiple users with different passwords access and the ability to add & remove users.
My original thinking was to encrypt the data in the database using AES so that it can be decrypted and read but what I'm not sure about is how to allow multiple users with different passwords to access it as there can only be one decryption key as far as I'm aware.
My only thought is set up a normal login system for users so they can be added & removed but store the decryption password on the server so the user never sees it. The thought of storing the decryption password on the server just seems insecure though so I'm looking for a better solution.
I'm sure this is a problem that many others have had and I've searched around but unless I'm misunderstanding things the only solutions I've found work with a set number of users, not in situations where users are added & removed.
Or is the way I'm going about this not the best and would there be a better way to approach this?
Also to define what I'm thinking of securing against. It's encase the server is hacked & the database stolen, the thief won't be able to read the data and stopping people who are no longer permitted to view the data from accessing it as well as adding new users.
Thanks for any help, Neil.
Yes, the key (password for decrypting data) has to be stored on the server.
There's no way around this, unfortunately.
There are different ways to do it, though.
You can store it in form of a plain text file, somewhere in a folder outside of the users access zone, where only root
system user will be able to get it.
You can store it in a different, separate database, with separate set of keys.
You can make your scripts get the key (or second database credentials) from some other script/app on the server, thus improving anti-transparency. In case someone will gain access to first script, he may not gain access to the other.
Finally, you can store it somewhere else, in depths of your network — and this is the most complex but secure thing, called KMS
- Key Management Server
.
Actually KMS doesn't have to be a cloud service or expensive enterprise solution (although, it's the most secure way). It can be just another server outside of the "war zone" (separate network) which stores and "tells" the key only to the trusted server.
I could write a book ~300 pages about managing keys, as I have supervised many quite sensitive data projects complying with PCI DDS3 security standards. You can google for key management
and try to find some easy tutorials and schemes.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments