I'm using a monetdb database to store massive amounts of sensor data such as data from accelerometers and gyroscopes. Now I need to restrict the access to the data. To restrict the access through the database interface (by use of SQL) I created a user account with password. The problem now is that I also want to prevent the access on the level of the file system (e.g. copy the data and load it to another monetdb installation).
Is there any way to tell monetDB to encrypt the files that are written to the filesystem?
This is not supported. Perhaps consider an encrypted file system?
Related
I have an SQLite3 database that I need to secure.
I'm confused between using sqlcipher to encrypt the whole database that I use in my Electron app or simply encrypt the data using crypto dependency.
Any clarification or explanation would be welcome.
There are two different types of encryption: "encryption at rest" and "row level encryption".
What if someone gets access to your SQLite file? They have all your data. "Encryption at rest" protects you against this by encrypting the SQLite file itself. If someone steals your SQLite file it will be useless to them. sqlcipher provides encryption at rest. This is a good idea in general.
What if someone hacks into your application and injects SQL commands? What if they select all your customer data? It doesn't matter if the file is encrypted, the SQL connection will decrypt it. To protect against this you can add a layer of "row level encryption". This is where your application encrypts the data it writes and decrypts the data it reads. The data being stored is encrypted. This is more complicated and has more performance impacts. Since the data is inserted encrypted, it is more difficult to search and index. Use it only for very valuable data that you're not likely to have to search. You're better off securing your application against SQL injection in general.
We are using PouchDB the save our data locally. We want to make sure that data is saved securely.
If we are encrypting the data itself via a plugin it is not possible to query our DB because all the data is not readable anymore...
Is there a way to make sure data is saved securely without encrypting the data itself? Is it possible to encrypt the database as a whole?
Right now the only way to encrypt a Cassandra database at rest seems to be with their enterprise edition which costs thousands of dollars: How to use Cassandra with TDE (Transparent Data Encryption)
Another solution is to encrypt every value before it enters the database, but then the key will be stored somewhere on every server in plaintext and would be easy to find.
I understand they offer "free" use for certain companies, but this is not an option and I am not authorized to pay $2000/server. How do traditional companies encrypt their distributed databases?
Thanks for the advice
I took the approach of encrypting the data disk on AWS. I added a new volume to the instance and checked the option to encrypt the volume. Then I edited cassandra.yaml to point to the encrypted volume.
We have done similar requirement in one of our project. Basically, I made use of trigger feature in Cassandra with custom implementation to perform encryption. It seems to be working fine for us.
You can refer below docs on how to create trigger and sample implemention of ITrigger interface
https://docs.datastax.com/en/cql/3.3/cql/cql_reference/cqlCreateTrigger.html
https://github.com/apache/cassandra/blob/2e5847d29bbdd45fd4fc73f071779d91326ceeba/examples/triggers/src/org/apache/cassandra/triggers/AuditTrigger.java
Encrypting before inserting is a good way. The keys will either be on each application or on each cassandra node. There isnt much difference really, either way you should use filesystem permissions to restrict access to key just the apps user. Theres steps to get more secure from there like requiring entering of passphrase on startup vs storing on disk, but it makes operational tasks horrific.
What are your thoughts about SQL Server's symmetric key functions? Specifically, I have two questions:
Which set of functions is better... EncryptByKey or EncryptByPassPhrase?
Both functions require a passphrase of some kind. In a typical web-application architecture, where should this passphrase be stored? (i.e., hard coded within a stored procedure in the database, or stored as a configuration setting in the web application)
I'm eager to see what the best practice is for these functions.
Encrypting using a passphrase is easier but the advantage of using a key is that the key can be secured using built in SQL sever roles. You can lock down use of the key to only those users that require access to that data.
If you use a certificate then you only need plain text during the initial setup and can store it outside your system. Again, the certificate is a securable object and can be locked down.
Hope this helps.
I am using sqlite3 in a linux machine and I am getting the database without username and password. Can I set a username and password for the same?
No, sqlite3 databases are very lightweight systems. They need no server and all data is stored in one file. A username/password is not supported by the sqlite/sqlite3 package.
In order to achieve simplicity, SQLite has had to sacrifice other characteristics that some people find useful, such as high concurrency, fine-grained access control, a rich set of built-in functions, stored procedures, esoteric SQL language features, XML and/or Java extensions, tera- or peta-byte scalability, and so forth.
(sqlite, when to use)
However, since it's only a file you can encrypt the file with a password to protect your data.
SQLite doesn't have a concept of username/password. It's just a single file based database.
However, on Unix you can protect your database from other users on the same machine by setting the permissions of the database file itself.
e.g. Allow only owner access
chmod 700 /path/to/sqlitedb
If it's used in a simple web application then the web application will provide the control.
The prior answers are only partially true. You can have databases that require authentication but you'll have to compile SQLite separately from PHP.
See the SQLite User Authentication documentation for further information.
SQLite is mainly an embedded database engine, not intended to be used as a multi-user database server that would require usernames and passwords.
You can always encrypt the database file with some user-provided password/-phrase, I guess. But expecting an embedded DBMS to sport full-blown access control is too much.