WebApp Sec mailing list archives
Re: Encrypted storage
From: Ido Rosen <ido () cs uchicago edu>
Date: Thu, 09 Sep 2004 02:53:54 -0400
I encrypt session data on disk/database with a symmetric key (shared secret) stored on the web server (hard coded into the web app usually), that way a database breach doesn't put session data at risk. As for other database data, it really depends on the use you are searching for: do you want to do full text searches on the data? Can your indices be unencrypted? There are many variables to consider when weighing the option, not just the straightforward CPU overhead of encryption. Ido On 8 Sep 2004 20:38:53 -0000 Jeffrey Koniszewski <jkoniszewski () kronos com> wrote:
I was wondering (because customers have asked me) whether anyone is configuring their database to store all information encrypted. Databases have this capability but the overhead can be so heavy that vendors don't recommend using it generically. Also, if most of the data is not sensitive it is a lot of work to protect small amounts of data. Is anyone aware of someone using this capability? Under what circumstances? What's the performance hit? What other gotchas? How about encrypted communication to the DB from the app server?
Attachment:
_bin
Description:
Current thread:
- Encrypted storage Jeffrey Koniszewski (Sep 08)
- Re: Encrypted storage Ido Rosen (Sep 09)
- Re: Encrypted storage Erik Kangas (Sep 09)
- Re: Encrypted storage Martin Sarsale (Sep 09)
- Re: Encrypted storage Shirokov Roman (Sep 09)
- <Possible follow-ups>
- RE: Encrypted storage Glenn_Everhart (Sep 09)
- RE: Encrypted storage Browne, Derek (Sep 10)
- RE: Encrypted storage Singh, Yashpal (Sep 10)
- RE: Encrypted storage Matis (Sep 11)
- Re: Encrypted storage Ido Rosen (Sep 09)