I want to encrypt serialised customer details and store in a database to protect against attacks where the attacker has access to the raw database records. The records then need to be accessible by multiple logged-in users, but do not need to be indexed nor searched.
The naive approach would be to use a system-wide key for symmetrical encryption using AES or similar, however I'm not sure that this is any more secure than no encryption at all.
Is it generally safe to say that raw DB access is more of a threat than source code access? Assuming so (which I believe to be the case in my situation), is there a better approach that I can use than one system-wide key?
Thanks
Aucun commentaire:
Enregistrer un commentaire