NYCPHP Meetup

NYPHP.org

[nycphp-talk] Website Data Encryption tools

Joe Leo joeleo724 at gmail.com
Sun Apr 6 20:57:05 EDT 2008 

Hi Tim,

Thanks for your reply and comments. The comments so far from the list has
enlightened me  a lot on this topic. And, I thank all for there comments!

The missing piece of info I guess I did not realize is that if I encrypt
some drive or part of it like folders or some system volume that I had to
have the decryption keys as part of it. I thought the keys was encrypted as
well. And, the only time it could be decrypted is by me.
So, If I wanted to modify and update the encrypted data I would then
download it back to my machine and decrypt it and make whatever changes and
upload it back to the server. While uploading and downloading the data it is
already in encrypted form.

And, my understanding was that new data that is saved/updated by users would
be encrypted on the fly. Encrypted data that leaves the server would be
decrypted BUT then with SSL only the user would see the requested data. This
was my understanding of what tools like TrueCrypt does. So, I think I'm
totally missing the point of the product.

For questions/comments about what kind of data I need to protect is hard to
answer as I don't have any specific data in mind. I'm more interested in
understanding the technology - regardless of data. But, to try and answer
that I would say any kind of typical web based application - but nothing
specific.

Joe



On Sun, Apr 6, 2008 at 8:33 PM, Tim Lieberman <tim_lists at o2group.com> wrote:

> Joe Leo wrote:
>
> > You've hit the right questions I am looking to understand. The answer is
> > both. From what I understand about a tool like TrueCrypt I can encrypt say
> > my webfolder (web site) and upload it to my hosting provider. And, what I am
> > trying to understand is can the encrypted data remain encrypted and still
> > serve content. Or, once I upload the encrypted data must I need to decrypt
> > it to serve the content? I am not concern about data being encrypted out to
> > the users browser. SSL takes care of that - right? So, if it is that I can
> > encrypt and it remains encrypt while serving content then this is not a bad
> > solution. And, of course one can take other measures like ssh to the server
> > to actually keep access to it secure.
> >
> In 99% of cases, there's no real argument for storing data on the server
> in an encrypted state.  This is because if your host security is
> compromised, the cracker will have your encryption keys as well as your
> encryption data.
>
> Communicating with server (Administration, Uploading files, etc):
>  SSH/SFTP.
> Data On The Server: Usually there is no good argument for encrypting it.
>  If you're going to be serving it to anyone, you'll need to decrypt it on
> the way out, so they can read it.  If the server can decrypt it, anyone who
> compromises the server can decrypt it, so it's useless and a waste of
> resources.
>
> Server Communicating with Clients: use SSL.
>
>
> The exception case:  You have a small group of users, to whom you want to
> make available some very secret data.  You don't want to do any processing
> of the data on the server.  You just want to upload an encrypted file, and
> have them download it (still encrypted).  This of course implies that you've
> somehow securely distributed the decryption key to your users.  This case
> almost never happens.  You'd be better off having your users generate GPG
> key pairs, send you the public key.  You encrypt for each user and send via
> email or any other method.  By leveraging public-key cryptography, you avoid
> the need to securely communicate any keys.
>
> As others have implied, it would be a lot easier to answer your queries if
> we knew more specifics about what kind of data (and what kind of operations
> on that data) you're talking about.
>
> But in almost every case, encrypting things on the server just chews up
> server resources while providing exactly zero protection.
>
> -Tim
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20080406/726ae504/attachment.html>

More information about the talk mailing list