We have a web application based on the famous triad apache + php + mysql which we sell to our customers and gets installed on their servers.
Currently, we are using MySQL 5.1.41 which has only a single user registered, root
, with is password and access allowed only from localhost.
The problem is, if someone creates its own mysql installation, and then copies our database from its original location to that independent installation, s/he would be able to access its content.
Is there a way to prevent also this kind of improper access to our webapp database? Can it be encorder MySQL-side or must it be something in our own application?
Best Answer
I normally do not endorse any one specific product, but in this case I will make an exception.
I have personally evaluated a product called Gazzang. It can encrypt data in such a way that when transported to another server, the data is unreadable unless the encryption key is copied and verified on that external server. I have tried this and copied /var/lib/mysql on another server that did not have the encryption key. The only SQL command that worked with the database encrypted is
SHOW DATABASES;
. Nothing else worked.There are some hoops to jump through to get an entire
/var/lib/mysql
folder encrypted. Once done, you never have to worry about data encryption. Perhaps you could start like this:/var/lib/mysql
The beautiful part of my evaluation was that the MySQL data was fully accessible by standard DB Connections. Gazzang does not shield normal access protocols. You must take up responsibility for securing passwords:
June 6, 2012
: Limiting database securityFeb 17, 2012
: MySQL : Why are there "test" entries in mysql.db?Feb 17, 2012
: What is the mysql.db table used for?Jan 19, 2012
: MySQL error: Access denied for user 'a'@'localhost' (using password: YES)Sep 28, 2011
: Weird MySQL Users Been Created (eg. bug115166_10073) and not by meSep 11, 2011
: Is this a normal set of MySQL privileges?EPILOGUE
As for the physical data itself, this worked during the 30-day evaluation. Please evaluate it for yourself. I will leave it to you to investigate production case studies on Gazzang.
UPDATE 2015-09-29 12:26 EDT
Cloudera purchased and deprecated Gazzang.
Cloudera Data Encryption is still available.