On Fri, 5 Mar 2004, Silvana Di Martino wrote:
> Alle 15:11, venerdì 5 marzo 2004, Alex Page ha scritto:
> > If you're trying to protect against somebody taking down your server
> > room door with a sledgehammer, lifting your server out of the rack,
> > driving it away and booting off an alternative medium to avoid needing
> > to know your root password, then a loopback encrypted partition (or data
> > encrypted in GPG where the decryption key is not stored on the database
> > server) is a sensible precaution.
>
> Unfortunately, the new Italian law forces us to take seriously into account
> this catastrophic scenario and another one that is almost as worring: an
> unfaithful SysAdmin that copies your data and sells them to KGB. So, database
> encryption (and not disk encryption) is the _only_ answer.
the only way for this to work is for it to be a "two key system" like the
military uses for missile launch.
One sysadmin as the "key" to the database box, but the data is encrypted
before being sent to the database box on another system with another admin
with another "key". Preferably these two would never interact or know
each other.
If the encryption and decryption happen on the same box that runs that
database, then it's simply more work for the sysadmin to get at the data,
not an impossibility. Anything outside of two seperate systems, one with
storage, the other doing encrypting without any form long term storage is
just a charade of security.