Skip to content
This repository has been archived by the owner on May 19, 2021. It is now read-only.

Encrypting MariaDB #15

Open
Androx27 opened this issue Apr 21, 2019 · 3 comments
Open

Encrypting MariaDB #15

Androx27 opened this issue Apr 21, 2019 · 3 comments
Assignees
@Androx27
Labels
enhancement New feature or request security A vulnerability has been discovered

Comments

@Androx27
Copy link
Member

Steps taken:

  1. Creating key for encrypting and decrypting db
  2. Encrypting key with another encryption + salt method so MariaDB can decrpyt/encrypt securely

Things to do:

  1. Since latest XAMPP is using MariaDB 10.1.38 (the latest ver. ones is 10.3.14) and lacks plugin for that encryption work, i'll try to using this version 1st before MIGRATING to the latest ver.
  2. Testing.
@Androx27 Androx27 added enhancement New feature or request security A vulnerability has been discovered labels Apr 21, 2019
@Androx27 Androx27 self-assigned this Apr 21, 2019
@ryumada
Copy link
Member

ryumada commented Apr 21, 2019

hey I still don't know about it, but do MariaDB can be used on a native-browser-app or php docker or something like that that make this web app standalone?

@Androx27
Copy link
Member Author

hey I still don't know about it, but do MariaDB can be used on a native-browser-app or php docker or something like that that make this web app standalone?

[https://mariadb.com/kb/en/library/installing-and-using-mariadb-via-docker/]

@Androx27
Copy link
Member Author

Androx27 commented Apr 21, 2019
edited
Loading

Testing with done MariaDB 10.1.38

Results

  • ALL DB HAS BEEN ENCRYPTED WHEN ISN'T USED OR LOGGED IN
  • 5 ROTATING KEYS AVAILABLE FOR MAKING ENCRYPTION ALGORITHM MORE HARDER TO BE ANALYSED
  • Hiding decryption priv key (this one needs extra attention since i cant using Amazon Web Service API for key management or other online service ) why? because private key needs to be separated from the host/server so attacker cant guessing/searching (via directory travesal, exploitable php function or even LFI but i already taking prevention for those vulns, maybe) key in localhost
  • Changing file permission for priv key and conf file

Things to do:

  1. Making auto script to change the rotation of keys each specific time
  2. Changing CBC to CTR (will try if CTR is supported) ❌

VULN FOR NOW

  1. Since CBC is used, the table column name is still in plain text

DONT ASK THIS (IF YOURE ASKING THIS, THEN YOU'RE AN IDIOT)

Can you encrypt the db name too?

Ref:

  • 1. https://stackoverflow.com/questions/3115559/exploitable-php-functions/3697776
  • 2. https://security.stackexchange.com/questions/35492/is-it-possible-for-a-hacker-to-download-a-php-file-without-executing-it-first
  • 3. https://mariadb.com/kb/en/library/encryption-plugin-api
  • 4. https://mariadb.com/kb/en/library/file-key-management-encryption-plugin/

db encryption
encrypted table but not column name

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Androx27 Androx27

Labels
enhancement New feature or request security A vulnerability has been discovered
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ryumada @Androx27