Storing Your Data Securely: A Primer

Not related to the article, but the source:<p>Having my email address on my blog is a vulnerability. Another vulnerability is named &#x27;Rudimentary Scan&#x27;, meaning &#x27;we looked, and your site has no client-side vulnerabilities&#x27;. These issues mean my blog is &#x27;borderline unsafe&#x27;. Wut.<p>Neither of these are vulnerabilities; to call them such does a disservice to your customer&#x27;s understanding of technical language.

I&#x27;m not a security guru, but the most common scenario (even today, that big data and NoSQL&#x2F;Graph dbs thrive) is a website running on a SQL (with some additional memcached&#x2F;Redis or Mongo?).<p>Say I encrypt the entries... Since the database runs in local host, if the host is compromised and subsequently &#x27;rooted&#x27;, what exactly does database encryption offer?<p>The intruder will sniff&#x2F;find the encryption key(s) since the key must be somewhere inside the application or in memory (don&#x27;t know how, but I&#x27;m sure it&#x27;s possible) in order to be able to decrypt data on the fly. The way I see it it&#x27;s just added complexity for the admin with no gain.<p>Is there any way of defending an SQL database even when the host is compromised?

A semi-interesting, completely off topic note on something I just learned after walking the earth for 28 years. The word &quot;primer&quot; as it is used here is actually pronounced primmer and not PRIMEr. Apparently the origins of both words are pretty unrelated.

&gt; <i>These functions belong to a family of functions known as key derivation functions: they use hashing to produce a digest which is suitable for use as a password hash.</i><p>KDFs are not for storing password hashes, they are for <i>key derivation.</i> This is a subtle point, the main thing is to use KDFs as KDFs (to derive keys that are then used to encrypt data). Details in the first link here (the second is about common mistakes when using scrypt):<p>- <a href="http://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html" rel="nofollow">http:&#x2F;&#x2F;blog.ircmaxell.com&#x2F;2014&#x2F;03&#x2F;why-i-dont-recommend-scryp...</a> (bad title, he&#x27;s referring to pass storage, not KDF usage)<p>- <a href="http://vnhacker.blogspot.com/2014/04/fairy-tales-in-password-hashing-with.html" rel="nofollow">http:&#x2F;&#x2F;vnhacker.blogspot.com&#x2F;2014&#x2F;04&#x2F;fairy-tales-in-password...</a><p>Another consideration is plausible deniability (PD) for situations where you&#x27;re compelled to disclose your password(s). Our company writes Mac encryption software that specializes in this (and it uses scrypt). Here&#x27;s a list of tools that offer PD (ours is called Espionage):<p><a href="https://en.wikipedia.org/wiki/Deniable_encryption#Software" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Deniable_encryption#Software</a><p>I compared Espionage&#x27;s PD to TrueCrypt&#x27;s on reddit:<p><a href="http://www.reddit.com/r/security/comments/2b5icu/major_advancements_in_deniable_encryption_arrive/cj24a1n" rel="nofollow">http:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;security&#x2F;comments&#x2F;2b5icu&#x2F;major_advan...</a>