On Fri, Mar 05, 2004 at 08:53:04AM -0500, Mitch Pirtle wrote:
> I understand (and demand) requiring SSL connections for database
> clients, and MD5 hashing of passwords before storing in the database,
> but implementing two-way encryption of database data just doesn't make
> sense to me.
It all comes down to what you're trying to protect your data *from*. If
you're trying to protect it from people sniffing network traffic between
clients and the server, then SSL is sensible. If you're trying to
protect against somebody reading passwords out of a database and using
them to impersonate other users, use MD5 (or SHA) hashing.
If you're trying to protect against somebody taking down your server
room door with a sledgehammer, lifting your server out of the rack,
driving it away and booting off an alternative medium to avoid needing
to know your root password, then a loopback encrypted partition (or data
encrypted in GPG where the decryption key is not stored on the database
server) is a sensible precaution.
I expect that for most database users, it comes down to meeting the
standards defined by law rather than realistic expectations of an attack
- I expect that most of the situations we attempt to prevent are
unlikely in the extreme, but we have various contractual and legal
obligations which mean we have to defend against them anyway.
Of course, this loopback encryption with a boot-time passphrase may fail
if they take the rackmount UPS as *well*, and keep the machine powered
at all times ;)
Alex
--
Mail: Alex Page <alex.page@cancer.org.uk>
Real: Systems/Network Assistant, Epidemiology Unit, Oxford
Tel: 01865 302 223 (external) / 223 (internal)
PGP: 8868 21D7 3D35 DD77 9D06 BF0A 0746 2DE6 55EA 367E