> Isn't it all just obfuscation? Not really, the encryption protects the file, wherever it is, as long as the attacker does not have access to the application keys or application memory.
> If the adversary is another process on the same host, encrypting the db > just adds obfuscation, which is security against lazy hackers. Another process would need debug privileges to access your application's memory. If you rely on disk encryption primarily, then if that encryption compromised, or if backups are compromised, or if a root user copies the wrong files in the wrong places, or just makes any error, then everything on that disk can be compromised. With application-level encryption, user error will only compromise that app's data, and you otherwise need the root user to be the attacker, which makes the problem quite different from the root user making a mistake. Finally in the grand scheme of things, the likelyhood of any disk encryption being broken (as an implementation) is extremely high, given it is such a juicy target. And when it is broken, automated tools will be available for all lazy hackers to download and deploy with a single click. So while you can and should use disk encryption, it can only be seen as an added security layer, never as a primary security layer. Eric On Fri, Jun 9, 2017 at 12:13 AM, Wout Mertens <wout.mert...@gmail.com> wrote: > Isn't it all just obfuscation? Any root user can read your key, if not from > disk then from memory. Any normal user can't read your key, nor from disk, > nor from memory; and they can't read your db file either. > > So if the adversary is someone with access to your disk image, disk > encryption trumps db encryption (unless the disk encryption is vulnerable > to known-plaintext attacks, but I guess they probably apply to sqlite too). > > If the adversary is another process on the same host, encrypting the db > just adds obfuscation, which is security against lazy hackers. > > On Thu, Jun 8, 2017 at 9:04 PM Richard Hipp <d...@sqlite.org> wrote: > > > On 6/8/17, Wout Mertens <wout.mert...@gmail.com> wrote: > > > Just musing: is an encrypted disk not more reliable? You have to store > > the > > > key somewhere… > > > > Maybe. I guess it depends on your threat model. > > > > Encrypting the whole disk is a system setting,. Anybody who has > > access to the system can see everything on disk. You also have to > > have administrator privileges to set it up. > > > > Encrypting a single database file is an application setting. Some > > applications might want to hide there data from other applications on > > the same system, or from the user of the system. Whole disk > > encryption won't help there. And, database encryption requires no > > special privileges. > > > > -- > > D. Richard Hipp > > d...@sqlite.org > > _______________________________________________ > > sqlite-users mailing list > > sqlite-users@mailinglists.sqlite.org > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
