最近我一直在研究一些数据,尽管这些数据不受任何信息安全法律的直接管辖,但其敏感度足以保证被加密。我有兴趣了解有关存储此类数据的最佳实践,特别是加密是在操作系统/文件系统级别还是在数据库级别实现最佳。
这两种方法在安全性、可扩展性和可访问性方面的优缺点是什么?
问问题
457 次
1 回答
1
OS/Filesystem level encryption will protect your database only if your hardware would be stolen.
If an attacker get access to an running system, he/she can access the database cause Filesystem is mounted.
Database level encrpytion would protect you against hacks etc if its ensured, that the keys can't accessed by an attacker easily (e.g. generate the key on the fly from users session and drop the key on logout).
It is not very easy to implement case in most cases the information will be need to proccesed by your application.
If you have a single application key it is possible that this key could also be stolen.
Also it wouldn't be possible to use most features of modern databases and you have to implement many things in your application instead (e.g. joining,filtering etc. based on encrypted data).
于 2013-05-02T08:09:00.930 回答