How to store sensitive user data in mysql using php

advertisements

I would like to store sensitive userdata like name and address in a mysql database.

My main question is how to search through the database that contains encrypted data.

if someone steals the computer it is not good, if the data is stored in plain text so I would like to encrypt it with a key, that is stored in the php files. The php files are encoded with ioncube, so a key inside the php code is (quite) secure.

On the other hand I also want to be able to query the application from the web-frontend for usernames and address.

My first idea was to encrypt the data before I store them and in my search-page, I would have to read the whole user database and decrypt it completely, so I can search in the results with php.

but for large userdatabases, this would be very memory-intense.


additional information:

I already have encrypted the password, so I need no solution for that.

I need a solution in php and mysql, because I cannot change the server configuration (disc-encryption, etc.) The server is an old ubuntu 9 installation which is very insecure, but cannot be changed for reasons I will not explain here.


You can encrypt each sensitive field of the database row but you need to keep the key secure. If you're worried about the whole server being stolen then you cannot store the decryption key on the filesystem as that would be stolen along with the machine.

You could use a per-user encryption with a key generated from the user's password. As you (I assume) are storing only the hash of the key (use Bcrypt) it will be difficult for an attacker to retrieve the user's password. However, this means only the user can view his data; admin accounts will not be able to decrypt other user's sensitive data. This may well be a deal-breaker for you.

If data needs to be accessible to others beside the user then you must use the same encryption key globally across your app. Without having this key in a config file your only option would be to attempt to store the key in memory (so that you would have to initialise the system before it was usable). This would not be enough to guarantee the key was not written to disk (think swap files, etc) but would go closer to protecting the data after a cold boot.