I have a Postgres entity that has encrypted data and I would like to know if there is an easy way of mapping the encrypted bytea column to a string/number field. The catch here is that the encrypted key is stored in a hashicorp vault and is fetched via rest so I can't just use a hibernate ColumnTransformer with a built in postgres encrypting function because it will not take in any dynamic input into the annotation.
Is there a way to do this? Or are my only options
1) do the encryption on the server and save already encrypted data
2) make all the DB queries native queries and use postgres encrypt/decrypt functions (which means I can't use JpaRepository::save for example)
In some placed I will need to use the postgres decrypt function because this sensitive data is crucial data for reports so I wanted to avoid having server side logic for encryption and decryption.
Related
I am giving a presentation about cryptography. My teacher told me to include the advantages and disadvantages of TDE encryption and especially why you should use them instead of encrypting with C# for example. I couldn't find the real advantages of database encryption instead of encryption in a program.
Oracle Transparent Data Encryption specifically protects data at rest, when written into a datafile. It would not stop a database user with select privileges from seeing the data using SQL, and it allows the data to be used in all types of SQL constructs like joins and indexes.
Encrypting data in the application rather than the DB would prevent adhoc SQL queries outside of the app from decrypting the data, and would make it impossible to use SQL (in the database or in the app) to search the data, make table joins, indexes, or do anything at all with the encrypted data outside of the hard-coded application. Application-level encryption cause could also interfere with data compression algorithms in the database or the storage media.
I have a database and in that database there are many tables of data. I want to fetch the data from any one of those tables by entering a query from the front-end application. I'm not doing any manipulation to the data, doing just retrieving the data from database.
Also, mapping the data requires writing so many entity or POJO classes, so I don't want to map the data to any object. How can I achieve this?
In this case, assuming the mapping of tables if not relevant, you don't need to use JPA/Hibernate at all.
You can use an old, battle tested jdbc template that can execute a query of your choice (that you'll pass from client), will serialize the response to JSONObject and return it as a response in your controller.
The client side will be responsible to rendering the result.
You might also query the database metadata to obtain the information about column names, types, etc. so that the client side will also get this information and will be able to show the results in a more convenient / "advanced" way.
Beware of security implications, though. Basically it means that the client will be able to delete all the records from the database by a simple query and you won't be able to avoid it :)
Lets say that i need to have all the users entered data encrypted in my db and i am doing it like this:
Crypt::encrypt($request['content'])
Lets assume that my site will live and prosper for many years with many users and many many gb of encrypted user data.
Does this mean that i have to be absolutely sure that i don't loose my app_key which is in my .env file?
The only thing i could do if my key is compromised is to only decrypt and encrypt with a new key?
You are very right.
Laravel is using AES encryption and exact key is needed for decryption of data.
If you ever want to decrypt your data again then you need the encryption key.
In Laravel implementation it is not possible to simply change the key. If key is changed then you need to reencrypt your data.
What are the ways in which data can be encrypted? Say for example salary column, even the admin should not be able to see the encrypted columns if possible, data should be visible only through application to users who have access which is defined in the application, changes in application (adding new functionality to encrypt/decrypt at application level) would be a last resort and minimal.
So far I have thought of 2 ways any fresh ideas or pros and cons of the ones below would be much appreciated:
1. Using Oracle TDE (transparent data encryption).
- Con : Admin can possibly grant himself rights to see the data
2. Creating a trigger to encrypt before insert and something along the lines of a pipeline to retrieve.
Oracle Database Vault is the only way to prevent a DBA from being able to access data stored in the database. That is an extra cost product, however, and it requires you to have an additional set of security admins whose job it is to grant the DBAs whatever privileges they actually need.
Barring that, you'd be looking at solutions that encrypt and decrypt the data in the application outside the database. That would involve making changes to the database structure (i.e. the salary column would be declared as a raw rather than a number). And it involves application changes to call the encryption and decryption routines. And that requires that you solve the key management problem which is generally where these sorts of solutions fail. Storing the encryption key somewhere that the application can retrieve it but somewhere that no admin can access is generally non-trivial. And then you need to ensure that the key is backed up and restored separately since the encrypted data in the database is useless without the key.
Most of the time, though, I'd tend to suggest that the right approach is to allow the DBA to see the data and audit the queries they run instead. If you see that one particular DBA is running queries for fun rather than occasionally looking at bits of data in the course of doing her job, you can take action at that point. Knowing that their queries are being audited is generally enough to keep the DBA from accessing data that she doesn't really need.
Which options do I have if I need to store a lot of files or big data chunks with encryption, access them fast and have it all in one file? Something like Sqlite with encryption and optimized for big chunks of data. Also I need ruby binding.
If you like SQLite, why don't just use SQLite? Since it does have a BLOB datatype, you can always store your encrypted data as a BLOB and decrypt it upon retrieval. Just have Ruby do all the encryption and decryption.
I am not sure where you would want the key(s) to be, but you can store them in another column if you need a different key for every "chunk," or have one key for the entire application (in this case you could have it configurable on Ruby).