NYCPHP Meetup

[csnyder]

On 8/4/06, Aaron Fischer <agfische at email.smith.edu> wrote:
> In my case I am thinking about encrypting (and decrypting) the user's
> social security number.
>
> Where to store the key is a similar problem as where to store the
> username/password credentials for DB access, correct?
>
> I'm in a shared hosting environment so I've got that working against me
> as well.
>
> -Aaron

It's a slightly different problem. After all, one of the big reasons
to encrypt that SSN is that there's a very good chance that someone
else on your shared host could, with enough effort, get the access
credentials that the webserver uses to connect to the DB.

Since you can't keep the webserver out of the database, the encryption
scheme is there to keep it out of the data itself.

It bears mentioning that you really want to use an asymmetric
encryption algorithm (like RSA) so that the decryption key (which only
you have) is different from the encryption key (which the server has).

-- 
Chris Snyder
http://chxo.com/