Forums / Install & configuration / Encrypting a mySQL database how to? Perfomance issues etc.

Encrypting a mySQL database how to? Perfomance issues etc.

Next topic

Author	Message
R Sutton	Monday 20 August 2007 10:05:43 am I have a client who wants their db to be encrypted and to run on https due to sensitive information. I personally think this is overkill, but I have to see what can be done if they insist. First of all, what is involved in this. I can't find a "how to" anywhere in the docs or forum, much less a mention of this. Has anyone else setup anything similar? If so how big of a performance hit should we expect going this route? Any real world numbers would be most insightful. I think that https would be enough of a performance hit in the first place, but anything that would back up my argument is great. Alternately, is there a way to have one node on https while the rest of the site has a standard setup? Any direction from someone who has traversed this road would be most helpful and appreciated. Thanks!
Bruce Morrison	Monday 20 August 2007 3:42:40 pm Hi While I'm not aware of the reasoning behind the request I'd assume that if the database was to be encrypted then you wouldn't want unencrypted cache files hanging around on the local file system. You might want to look into encrypted filesystems as a lower level solution. http://www.google.com.au/search?q=linux+encrypted+filesystems I'd suggest taking a step back and identifying the security requirements and then looking for appropriate solutions to meet those requirements. Cheers Bruce My Blog: http://www.stuffandcontent.com/ Follow me on twitter: http://twitter.com/brucemorrison Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish
R Sutton	Tuesday 21 August 2007 6:06:47 pm While I'm not aware of the reasoning behind the request I'd assume that if the database was to be encrypted then you wouldn't want unencrypted cache files hanging around on the local file system. That's what I have looked into for the past day. I think you're right. And I think it will be easier and less of a kludged feel to it once done. Thank for the push, I found several great write ups on encrypting the freeBSD system this will run on. I am pushing this out as an experiment tomorrow, so we will see how this goes :)

Author

Message

Monday 20 August 2007 10:05:43 am

I have a client who wants their db to be encrypted *and* to run on https due to sensitive information. I personally think this is overkill, but I have to see what can be done if they insist.

First of all, what is involved in this. I can't find a "how to" anywhere in the docs or forum, much less a mention of this. Has anyone else setup anything similar? If so how big of a performance hit should we expect going this route? Any real world numbers would be most insightful.

I think that https would be enough of a performance hit in the first place, but anything that would back up my argument is great. Alternately, is there a way to have one node on https while the rest of the site has a standard setup?

Any direction from someone who has traversed this road would be most helpful and appreciated.

Thanks!

Bruce Morrison

Monday 20 August 2007 3:42:40 pm

While I'm not aware of the reasoning behind the request I'd assume that if the database was to be encrypted then you wouldn't want unencrypted cache files hanging around on the local file system.

You might want to look into encrypted filesystems as a lower level solution. http://www.google.com.au/search?q=linux+encrypted+filesystems

I'd suggest taking a step back and identifying the security requirements and then looking for appropriate solutions to meet those requirements.

Cheers
Bruce

My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

R Sutton

Tuesday 21 August 2007 6:06:47 pm

While I'm not aware of the reasoning behind the request I'd assume that if the database was to be encrypted then you wouldn't want unencrypted cache files hanging around on the local file system.

That's what I have looked into for the past day. I think you're right. And I think it will be easier and less of a kludged feel to it once done. Thank for the push, I found several great write ups on encrypting the freeBSD system this will run on. I am pushing this out as an experiment tomorrow, so we will see how this goes :)