Securely store user data in DB with Symfony

Question

I want to store data from users so that they become useless even if the database gets leaked somehow. I also don't want to be able to encrypt the data, so I encrypt all my data via `openssl_encrypt' like this:

        $passCode = base64_encode($this->get('session')->get('_pk'));

        if (strlen($passCode) <= 16) {
            $iv = str_pad($passCode, 16, '0');
        } else {
            $iv = substr($passCode, 0, 16);
        }

        $ciphertext = openssl_encrypt('whatevervalue',  'AES-256-CBC', $passCode, 0, $iv);

        $test = new Test();
        $test->setValue($ciphertext);
        ...
        $em->persist($test);
        $em->flush();
        ...

The $passCode is actually their password, which I put into the session var like this:

SecurityListener.php

<?php

namespace AppBundle\Listener;


use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;

class SecurityListener
{

public function __construct($security, Session $session)
{
    $this->security = $security;
    $this->session = $session;
}

public function onSecurityInteractiveLogin(InteractiveLoginEvent $event)
{

    $this->session->set('_pk', base64_encode($event->getRequest()->get('_password')));
}

}

2 Problems:

• Storing the $passCode (whitout knowing actually that much about sessions) seems to be a security issue possibly?

• What happens if a user changes the password. With the current way I'd need to decrypt and re-encrypt all his DB data with the new password, so that does not seem like a proper solution. What if he looses his password?

Maybe it is easier to understand what I want to here:

I want to encrypt all data in my database that the user himself enters there. I want it to be a "feature" that even the admin(s) cannot read the data without the key. I know the latter is not 100% possible (as there will be ways to intercept passwords/keys if entered through a web interface, but at least that invloves some change of code). Is something like that even possible at all? Any open source porjects I can have a look at?

Thank you!

Answer 1

1. Have some invariants for each user that will be used to generate the private key: user ID, account creation date, some random generated salt...
2. Write a hashing function that will generate the private key.
3. Obfuscate the code of the function.

This is not perfect, since people with access to the code and the database will be able to decipher the data, but it should be safe against database leaks and it doesn't have the problems you mention.

The only safer solution I can think of is to have users generate their own private keys and encrypt the data on client side, then send the encrypted data to the server. Otherwise, if the server has the tools necessary to decrypt, there will always be the way for someone with complete access to the system to decrypt the sensitive data.

I'm no expert in this matter and please tell me if I'm wrong.