On Jul 23, 2009, at 12:11 PM, Steve Atkins wrote:
>
>> 4) Is is possible to compile C or Java code that will allow me to
>> be the only one whom knows the pass-key but allow other users to
>> encrypt/decrypt data?
>>
>
> Yes, that's asymmetric cryptography, using something like DSA.
Oops. Missed the "decrypt" bit there.
It's sort of possible, but only by relying on other access controls to
allow other users to run your code, but not access it in other ways.
Within the database a security definer function would let you do that.
But anyone with superuser access to the machine, or to the database,
or who had access to backups or database dumps would be able to get
the key.
You can build systems of increasing complexity to get marginally more
protection, but it's really not a path you want to be going down just
for PCI compliance.
Cheers,
Steve