[nycphp-talk] Data encryption on ISP server
csnyder
chsnyder at gmail.com
Sat Jun 25 10:53:53 EDT 2005
On 6/24/05, Frank Wong <frank_wong2 at informationideas.com> wrote:
> my concern is that where and how do I
> store this all important pass-phrase since it is the key that opens all
> doors.
As other people have already pointed out, dedicated hosting is the way
to go if you have data you need to keep secret.
The exception to this is if you have data that only needs to be
decrypted by you (or the staff of your organization), such as credit
card numbers. In that case, you can encrypt the incoming data using an
RSA public key. It can then only be decrypted with the matching
private key, which you would store locally. You could download and
decrypt the data (or upload the private key temporarily and decrypt on
the server) whenever you need to access it. But this couldn't be
automated, and your users would not be able to access the data.
No matter what scheme you use to encrypt, if the decryption key is
available on the server, and an attacker can read your application's
code, then they have access to the data. Both these conditions are, in
theory, true on any shared server.
Chris Snyder
http://chxo.com/
More information about the talk
mailing list