> We decrypt the database (it's only to be decrypted by the secadmins (3)
> private keys) we read it, and then we remove the decrypted copy.
> Needles to say that even secadmins forget to remove the decrypted copy
every
> now and then.
It seems to are doing double work to get the desired results. First you
decrypt the db (database) and after that you remove it again. It might put
prety much load on the box.
> Is there a way to decrypt it on the fly, so that no copy is stored on the
> disk (I guess only in RAM) that provides the same possibility to limit
> access to certain private keys.
> Would that maybe involve writing an interface to do the job (eg a php page
> that can run a query on the database) or is there an off-the-shelf
solution
> to this.
There are several solutions for this. Think of the shadow password storing
technique or the md5, xor encryption methods. What I think is that you
encrypt all the database once, and when needing to decrypt it just use the
*appropriate* method and get the results. don't put the dycrypted db on the
disk, can put on the RAM.
I might not be able to convay my message properly but its something like,
Encrypted Data -> You want some info out of that -> Tell the program to get
the encrypted db -> decrypt it in the mem only -> display the results.
Hope this works.
Naseer
