Am 29.02.2016 um 20:54 schrieb Gary Smith:
On 29/02/2016 19:50, Reindl Harald wrote:cryptsetup/luks can achieve that way betterOnly to a degree.
no - not only to a degree - when the question is "not store anything unencrypted on the disk" the is no degree, but or if
Once the disk is unencrypted, you've got access to the filesystem. If you've got physical access to the machine, then anything which gives you console access gives you (potentially) access to the underlying database files. If you can get those, it's trivial to get access to the dataset that they contain. However, if TDE is employed, then you've got another significant obstacle to overcome: The data is only encrypted (aiui) once it's in memory. At this point, you're needing to do attacks on RAM to get access to the data - and even then, you're unlikely to get 3 bars for a jackpot payout of the whole database schema, assuming a decent sized database.
in theoryin reality you don't need to hack around in the RAM - mysqld needs to have access to key for operate with the data and so you need to find only that piece
the same for encryption on the application side before send data to the db-layer - see the start and subject of that thread how far people are away from understanding how and on what layer things are encrypted and what excatly is protected in which context....
there is no "turn this on and you are safe" without deeper understanding
signature.asc
Description: OpenPGP digital signature