Database Encryption

7 posts by 2 authors in: Forums > CMS Builder
Last Post: November 14, 2018   (RSS)

Hello,

Can someone please tell me more about the "database encryption" function that I have seen in the General Settings area of the most recent cmsb version?

What type of encryption is used?

Is the entire database encrypted or can I select specific tables?

Does it effect read/write speed?

In genera, what are the pros and cons of encrypting the database?

Thanks,

Greg

Hi Daniel,

Thank you for this info. Very interesting to read!

You mention:

The main benefit of encrypting data is that it adds an extra layer of security to sensitive data. If someone were to gain a copy of your database or a backup file (made after the encryption), they wouldn't be able to directly read data from any encrypted fields.

If the hacker figures out that the database is using cmsb then they will of course be able to use CMSB's MySQL helper functions to read the data, correct?

Regards,

Greg

By daniel - November 14, 2018

Hi Greg,

If the hacker figures out that the database is using cmsb then they will of course be able to use CMSB's MySQL helper functions to read the data, correct?

The helper functions only provide the mechanism used to encrypt the data, so in such a case, the hacker would also need the encryption key to decrypt it, which is not stored directly in the database. However, it is still good to emphasize that this is only one possible layer in a complete security policy. I'd think of it more as protection against someone casually accessing the raw data rather than a strong defence against a dedicated attacker, and shouldn't be considered a replacement for strong passwords and good server security.

Cheers,

Daniel
Technical Lead
interactivetools.com

Hi Daniel,

Yes, that all makes total sense. Just so I'm clear, where is the encryption key stored? Is that a private PPK or a PEM file stored somewhere on the server (in a cmsb directory?)?

Thanks,

Greg

By daniel - November 14, 2018

Hi Greg,

The encryption key is a user-supplied value supplied on the General Settings page in CMSB, so it's stored in the settings file.

Cheers,

Daniel
Technical Lead
interactivetools.com

Hi Daniel,

OK, thanks - I see this now. Maybe it would be safer to store this setting outside of the /public_html/ folder...

Anyway, really pleased to see you are taking security seriously and making improvements to the software in this respect.

Regards,

Greg