Storing sensitive data securely in a database
Question
I am currently building a website for a nursing home. I have already designed a scheme to store private data in my database, but I would like your opinion about it.
Basically, I have a table patient which stores public (= non-sensitive) information about patients. Some other information (like name, address) are private one and need to be securely stored. I use a public/private key pair, generated by PHP OpenSSL and sent by the website manager. The passphrase is only known by people allowed to access private data (basically, healthcare providers). I would like to store them in an other table. First question , is BLOB the best column type (with MySQL) to store binary data. Or should I convert them (with base64 for example) and store them in a VARCHAR column?
My patient_secure_data table looks like this:
id INT AUTO_INCREMENT patient_id INT (FOREIGN KEY to patient.id) key VARCHAR(63) data BLOB env BLOB
It is a key-value table, where value are sealed by openssl_seal . I need to store the third parameter ( $env_keys ) to be able to decrypt data. So second question , why do I need this env_keys if I have the passphrase of the private key when I call openssl_open ?
Third (and last) question , is it a safe database schema? I mean, can I guarantee that nobody without passphrase can see private data?
Note: I will also use the same key pair to encrypt files stored on disk. But database or files, I can't see any differences regarding security.
Regards,
Guillaume.
Sorry if my language is not perfect, I am not a native english speaker... I hope I made myself clear.
2 answers
solution1
2 ACCPTED 2012-03-11 11:02:42
1 - BLOB is my preference because encoding it to base64 will increase both space and processing time (since you will have to also decode base64 before you decrypt)
2 - openssl_seal does not give you the key that was used to encrypt the data. The purpose of env_keys is to store the encrypted form of the generated key. When you call openssl_open, you give it this envelope key and the private key that it needs to decrypt the envelope key. The private key needs to be matched with the public key that was used to generate the envelope key.
3- If your private key requires a passphrase, then technically your data is relatively safe. Even if they have the envelope key and the private key, they won't be able to use it ... but how secure is your passphrase? One thing to realize is that you can almost never guarantee a fully secure scheme, but you can definitely make it tough on hackers. Use your imagination here. Btw, is your passphrase in plaintext in your code?
solution2
0 2012-03-11 10:15:11
Anything over 500chars should probably be a blob (or clob).
Regarding the keys, you should only store the public key in your public DB. This way you don't have to worry about anyone (passphrase or no) being able to decrypt the data. The private part of the key should be stored in the sensitive DB. You only need the public part to decrypt data encrypted by the private part. I would not store the entire key (public+private) on disk of the server containing the non-sensitive information as this compromises the security of the key.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.