MySQL encryption functions

[kakariko81280]

I was looking that the hashing and encryption functions in MySQL recently and I came up with an odd question.

Is there any situation where encryption should be done in the database when it could be done at the client?

To expand on that a bit more. If the database is encrypted, and the client does the decrypting, then the key never needs to travel to the database, the data never passes over the network in the clear, and the processing load required to decrypt the data is moved from the server to the client allowing for (a bit) better scaling.

If the server handles the decryption then the exact opposite is true, and I can't think of any reason why you'd want to do that if you didn't have to.

I understand why the server-side hashing functions would be used, and I can see how the encryption functions could be handy if you didn't have a choice, but I'm looking for a scenario where you have the choice and server-side is better.

[kakariko81280]

Bump.

If I don't get a reply this time around, I'll give up on it.

Chris...

[EndianX]

I can't think of one off the top of my head.

I do use the md5 function sometimes. Like recently I had some trouble when I was setting up a phpbb, and I couldn't get logged into the admin account. The passwords are hashed with md5, so I was able to set the password to something I knew that way.

Most web applications won't have access to client side hashing/encryption. Javascript doesn't do it now does it?

[winter]

I can't think of one off the top of my head.

I do use the md5 function sometimes. Like recently I had some trouble when I was setting up a phpbb, and I couldn't get logged into the admin account. The passwords are hashed with md5, so I was able to set the password to something I knew that way.

Most web applications won't have access to client side hashing/encryption. Javascript doesn't do it now does it?

php supports crypt and md5 hashing functions

[TheAngelsOwl]

I don't think the mysql development team are putting a lot of effort into the encryption side of there database yet.....

I am sure if you sent them an email they could give you a load of information on it, They seem to reply to my emails with a lot of information.

Give it a try

Good luck

[engineuity]

why not encrypt both? I know php supports the md5 and i think sha for encryptions. The data wont be "traveling in the clear" either way then.

[kakariko81280]

Thanks for your answers everyone, it's pretty much sizing up the way I exepected it to.

Yes, I can definitly see them being useful. Particularly in situations where you want to set up encryption after the fact. Keeping the data inside the database for massive conversions would improve performance for that operation. Also, encryption can be coded into Javascript, but you're right, I don't think it supports encryption natively (and the javascript versions are really slow).

PHP does have useful encryption functions too, but I still reckon if you have the choice client side is better all round.

I am sure if you sent them an email they could give you a load of information on it, They seem to reply to my emails with a lot of information.

Good idea. If I get anything particularly interesting, I will post it here too.

Chris...

[winter]

Mysql 5 has encription support, and its good support as it can support AES cartography(practically unbreakeable at the moment). Ive only read a bit on it and im going to be playing with mysql 5 at the end of my samester for uni.

[sharp_blaze]

There are many ways to achieve what you want. You can use dm-crypt tool to encrypt your partition. You can use loobback encyrption to protect the dataase directory. For access control, use selinux (for RH) or apparmor (SuSE). There are some enterprise products avaialable out there also, look for security-general for mysql from Packet GENERAL Networks™

I was looking that the hashing and encryption functions in MySQL recently and I came up with an odd question.

Is there any situation where encryption should be done in the database when it could be done at the client?

To expand on that a bit more. If the database is encrypted, and the client does the decrypting, then the key never needs to travel to the database, the data never passes over the network in the clear, and the processing load required to decrypt the data is moved from the server to the client allowing for (a bit) better scaling.

If the server handles the decryption then the exact opposite is true, and I can't think of any reason why you'd want to do that if you didn't have to.

I understand why the server-side hashing functions would be used, and I can see how the encryption functions could be handy if you didn't have a choice, but I'm looking for a scenario where you have the choice and server-side is better.