How to securely control access to a backend key server?
Posted
by
andy
on Server Fault
See other posts from Server Fault
or by andy
Published on 2012-09-20T10:10:00Z
Indexed on
2012/09/20
21:40 UTC
Read the original article
Hit count: 158
I need to securely encrypt data in my database so that if the database is dumped, hackers are unable to decrypt the data.
I'm planning on creating a simple key server on a different machine, and allowing the DB server access to it (restricted by IP address on the key server to permit the DB server). The key server would contain the key required to encrypt/decrypt data.
However, if a hacker were able to get a shell on the DB server, they could request the key from the key server and therefore decrypt the data in the database.
How could I prevent this (assuming all firewalls are in place, DB is not connected directly to the internet, etc)? i.e. is there some method I could use that could secure a request from the DB server to the key server so that even if a hacker had a shell on the DB server they'd be unable to make those same requests? Signed requests from the DB server could make issuing these requests less trivial - I suppose that'd help increase the amount of time it'd take to compromise the key server, something a hacker probably wouldn't have much of.
As far as I can see, if someone can get a shell on the DB server everything's lost anyway. This could be mitigated by using one key per data item in the DB so at least there's not a single "master" key, but multiple keys that the hacker would need to access.
What would be a secure method of ensuring requests from the DB server to the key server were authentic and could be trusted?
© Server Fault or respective owner