Database Encryption
7 posts by 2 authors in: Forums > CMS Builder
Last Post: November 14, 2018 (RSS)
By gversion - November 8, 2018
Hello,
Can someone please tell me more about the "database encryption" function that I have seen in the General Settings area of the most recent cmsb version?
What type of encryption is used?
Is the entire database encrypted or can I select specific tables?
Does it effect read/write speed?
In genera, what are the pros and cons of encrypting the database?
Thanks,
Greg
By daniel - November 13, 2018
Hi Greg,
I wrote a bit about the new encryption features back when they first were introduced in the v3.14 beta: https://www.interactivetools.com/forum/forum-posts.php?postNum=2242370#post2242370
Some additional info to address some of your questions more directly:
- The encryption used is AES (Advanced Encryption Standard).
- Encryption is specified for specific fields/columns, rather than entire DB or tables.
- It's very unlikely that it would cause any appreciable difference in database query speed.
- The main benefit of encrypting data is that it adds an extra layer of security to sensitive data. If someone were to gain a copy of your database or a backup file (made after the encryption), they wouldn't be able to directly read data from any encrypted fields. One downside is that it makes it difficult to directly access data from the database yourself without using CMSB's MySQL helper functions.
Let me know if you have any further questions!
Thanks,
Technical Lead
interactivetools.com
Hi Daniel,
Thank you for this info. Very interesting to read!
You mention:
The main benefit of encrypting data is that it adds an extra layer of security to sensitive data. If someone were to gain a copy of your database or a backup file (made after the encryption), they wouldn't be able to directly read data from any encrypted fields.
If the hacker figures out that the database is using cmsb then they will of course be able to use CMSB's MySQL helper functions to read the data, correct?
Regards,
Greg
By daniel - November 14, 2018
Hi Greg,
If the hacker figures out that the database is using cmsb then they will of course be able to use CMSB's MySQL helper functions to read the data, correct?
The helper functions only provide the mechanism used to encrypt the data, so in such a case, the hacker would also need the encryption key to decrypt it, which is not stored directly in the database. However, it is still good to emphasize that this is only one possible layer in a complete security policy. I'd think of it more as protection against someone casually accessing the raw data rather than a strong defence against a dedicated attacker, and shouldn't be considered a replacement for strong passwords and good server security.
Cheers,
Technical Lead
interactivetools.com
Hi Daniel,
Yes, that all makes total sense. Just so I'm clear, where is the encryption key stored? Is that a private PPK or a PEM file stored somewhere on the server (in a cmsb directory?)?
Thanks,
Greg
By daniel - November 14, 2018
Hi Greg,
The encryption key is a user-supplied value supplied on the General Settings page in CMSB, so it's stored in the settings file.
Cheers,
Technical Lead
interactivetools.com
Hi Daniel,
OK, thanks - I see this now. Maybe it would be safer to store this setting outside of the /public_html/ folder...
Anyway, really pleased to see you are taking security seriously and making improvements to the software in this respect.
Regards,
Greg