Database Encryption

7 posts by 2 authors in: Forums > CMS Builder
Last Post: November 14, 2018   (RSS)

Hello,

Can someone please tell me more about the "database encryption" function that I have seen in the General Settings area of the most recent cmsb version?

What type of encryption is used?

Is the entire database encrypted or can I select specific tables?

Does it effect read/write speed?

In genera, what are the pros and cons of encrypting the database?

Thanks,

Greg

By daniel - November 13, 2018

Hi Greg,

I wrote a bit about the new encryption features back when they first were introduced in the v3.14 beta: https://www.interactivetools.com/forum/forum-posts.php?postNum=2242370#post2242370

Some additional info to address some of your questions more directly:

  • The encryption used is AES (Advanced Encryption Standard).
  • Encryption is specified for specific fields/columns, rather than entire DB or tables.
  • It's very unlikely that it would cause any appreciable difference in database query speed.
  • The main benefit of encrypting data is that it adds an extra layer of security to sensitive data. If someone were to gain a copy of your database or a backup file (made after the encryption), they wouldn't be able to directly read data from any encrypted fields. One downside is that it makes it difficult to directly access data from the database yourself without using CMSB's MySQL helper functions.

Let me know if you have any further questions!

Thanks,

Daniel
Technical Lead
interactivetools.com

Hi Daniel,

Thank you for this info. Very interesting to read!

You mention:

The main benefit of encrypting data is that it adds an extra layer of security to sensitive data. If someone were to gain a copy of your database or a backup file (made after the encryption), they wouldn't be able to directly read data from any encrypted fields.

If the hacker figures out that the database is using cmsb then they will of course be able to use CMSB's MySQL helper functions to read the data, correct?

Regards,

Greg

By daniel - November 14, 2018

Hi Greg,

If the hacker figures out that the database is using cmsb then they will of course be able to use CMSB's MySQL helper functions to read the data, correct?

The helper functions only provide the mechanism used to encrypt the data, so in such a case, the hacker would also need the encryption key to decrypt it, which is not stored directly in the database. However, it is still good to emphasize that this is only one possible layer in a complete security policy. I'd think of it more as protection against someone casually accessing the raw data rather than a strong defence against a dedicated attacker, and shouldn't be considered a replacement for strong passwords and good server security.

Cheers,

Daniel
Technical Lead
interactivetools.com

By daniel - November 14, 2018

Hi Greg,

The encryption key is a user-supplied value supplied on the General Settings page in CMSB, so it's stored in the settings file.

Cheers,

Daniel
Technical Lead
interactivetools.com

Hi Daniel,

OK, thanks - I see this now. Maybe it would be safer to store this setting outside of the /public_html/ folder...

Anyway, really pleased to see you are taking security seriously and making improvements to the software in this respect.

Regards,

Greg