Best Practices for MySQL Encryption?

mysql security database-design encryption refactoring-databases
Joseph Weissman picture Joseph Weissman · Aug 2, 2010 · Viewed 23.6k times · Source

I'm looking for guidance on encrypting fields (and/or tables if possible) for MySQL. I will settle for a decent tutorial but I'd really like specific tips on managing the transition from an unencrypted schema to one utilizing encrypted fields. Thanks!

Answer

Eric B picture Eric B · Aug 2, 2010

Along with AES_ENCRYPT for the fields, if you are storing sensitive information, better enable SSL over the wire too. Also consider network separation (vlan) of the sensitive database machines and other standard security practices. Key storage is important (where is that shared aes key hanging out, surely not on the webserver(s)!) and consider the impact on indexes/queries since searching or joining table data will not be as simple as it once was.

Related questions

Best practices to store CreditCard information into DataBase

In my country the online payments are not an old thing, the first time i saw a web application taking payments directly to a local bank account was last year. So, Im a newbie coding web payment system. My question …

Read More
How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More
SQL injection that gets around mysql_real_escape_string()

Is there an SQL injection possibility even when using mysql_real_escape_string() function? Consider this sample situation. SQL is constructed in PHP like this: $login = mysql_real_escape_string(GetFromPost('login')); $password = mysql_real_escape_string(GetFromPost('password')); $sql = "…

Read More