Mysql默认AES加密数据库中的所有表
[英]Mysql default AES encryption for all tables in a database
问题描述
I need to hide data from user access in mysql. 
我需要在mysql中隐藏用户访问数据。 Even if user knows the password he may need a key to decrypt the data. 即使用户知道密码,他也可能需要密钥来解密数据。 is it possible? 可能吗?
In mysql there is AES_ENCRYPT option to encrypt data when insert, Is there any option to give default encryption for all table columns in a database? 在mysql中有插入时加密数据的AES_ENCRYPT选项,是否有任何选项可以为数据库中的所有表列提供默认加密?
2 个解决方案
解决方案1
0 2016-11-15 02:14:33
you probably need to do this in your application and not in mysql directly. 您可能需要在应用程序中执行此操作,而不是直接在mysql中执行此操作。 store the data encrypted but decrypt/encrypt in your application level code 存储加密的数据,但在应用程序级代码中解密/加密
解决方案2
0 2016-11-15 02:35:17
What's the point of allowing a user to connect if they don't have the key to decrypt, and all tables are encrypted? 如果用户没有要解密的密钥,并且所有表都已加密,那么允许用户连接的重点是什么? You need to edit your question to describe your use case in more detail. 您需要编辑问题以更详细地描述您的用例。
Controlling access per user is more flexible. 控制每个用户的访问权限更加灵活。 Suppose you use encryption, and one day you want to disable access for one particular user. 假设您使用加密,并且有一天您想禁用某个特定用户的访问权限。 You'd have to change the key, and that means you must re-encrypt all the data with the new key, and then notify all other users of the updated key. 您必须更改密钥,这意味着您必须使用新密钥重新加密所有数据,然后通知所有其他用户更新的密钥。 That's very inconvenient. 这非常不方便。
Whereas if you just use their login or their GRANT privileges to control access, you can disable any single user's account and/or use REVOKE to change their privileges. 而如果您只是使用他们的登录或他们的GRANT权限来控制访问权限,您可以禁用任何单个用户的帐户和/或使用REVOKE来更改他们的权限。 All other users would continue to have the access they did before. 所有其他用户将继续拥有他们之前访问过的权限。 That's much easier. 那更容易。
Besides, MySQL has no global "encrypt all tables" option. 此外,MySQL没有全局“加密所有表”选项。 It doesn't even have an option to encrypt all data inserted into a given table. 它甚至没有加密插入给定表的所有数据的选项。
MySQL has some encryption functions like AES_ENCRYPT() but it's handled at the level of individual SQL expressions: MySQL有一些加密函数,如AES_ENCRYPT()但它是在各个SQL表达式的级别处理的:
INSERT INTO MyTable
SET someColumn = AES_ENCRYPT('Something sensitive', 'thePassword');
You would have to do this every time you insert or update a row. 每次插入或更新行时都必须这样做。
Then decrypt similarly every time you SELECT: 然后在每次SELECT时解密:
SELECT AES_DECRYPT(someColumn, 'thePassword') FROM MyTable...
Someone above mentioned MariaDB encryption. 上面提到过MariaDB加密的人。 This doesn't do what you want. 这不符合你的要求。 It means the tablespace file on disk is encrypted, but still the MariaDB server automatically decrypts it for anyone who connects to the server. 这意味着磁盘上的表空间文件已加密,但MariaDB服务器仍会自动为连接到服务器的任何人解密它。 So it's no better than SQL access privileges. 所以它并不比SQL访问权限更好。 It also fails to encrypt query logs or error logs or binary logs. 它也无法加密查询日志或错误日志或二进制日志。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.