For the (very few?) people interested in this topic:
"Time is Right for Database Encryption"
Dec 9, 2003 | By Don MacVittie
Published on NetworkComputing
(www.nwc.com)
http://www.nwc.com/shared/article/printFullArticle.jhtml;jsessionid=REGYCTEZ5MNJQQSNDBGCKHY?articleID=16401578
This paragraph, in particular, deals with a most-argued topic:
"This is why client applications should decrypt the data after they receive it
from the database. That's the most secure place to handle encryption and
decryption. But changing all your client applications usually isn't
realistic. If you find that modifying your apps is not an option, look for a
solution that allows for decryption on the database and protection of your
data while on the network. Using SSL to communicate with your database will
protect your data while it traverses the LAN. It's simple to implement,
especially since you probably already use it for transmitting sensitive
information over the Internet."
And this one shows a feasible solution for PostgreSQL (using pgcrypto):
"Oracle has one of the best solutions for in-database encryption-decryption
keys. It stores the keys, encrypted, in a table. For users with access
rights, it decrypts the keys, which in turn decrypt the desired data. The
downside, of course, is that you have unencrypted data on the network, but
the benefit is making access to encrypted data secure. Not even the database
administrator can see the unencrypted data--even the keys to get at the data
are encrypted. This solution can be implemented in any of the major
databases, and Oracle provides a secure key generator as well as other tools
to get you started."
Have a nice reading.
-----------------------------------------
Alessandro Bottoni and Silvana Di Martino
alessandrobottoni@interfree.it
silvanadimartino@tin.it
