Does it make sense to store the encryption key in the database?

W

wlms2019-01-19 01:33:18

Node.js

wlms, 2019-01-19 01:33:18

It is necessary to store data in the database in encrypted form (not passwords). I encrypt with node-rsa. So that in case of hacking the database, the data was not in a dry form. To decrypt the data in another controller, you need the same key that would be generated at the time of encryption. The only option is to save it to the database. Do I understand correctly that if the database is hacked, the attacker will take this key and easily decrypt the data? Maybe there is another approach to this issue?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

DevMan, 2019-01-19
@smlwmy

it makes no sense to store it in the database - when you leave home, you hardly hang the key next to the lock.
You can store it in the config, environment variables, separate storage.

R

Roman Mirilaczvili, 2019-01-19
@2ord

It is better to store the key in the environment variables of the user under which the web server is running.

A

Alex, 2019-02-09
@asilonos

> Do I understand correctly that in the event of a hacking of the database, the attacker will take this
> key and easily decrypt the data?
Yes .
This is quite justified - but you need to change the encryption protocol, for example, enter also the SALT for the key (Key = KeyDB + SALT).
In this case, your KeyDB will be stored in the database, but in order to use it, you will also need a Salt that is stored in the Config. The keys can even be different (for each table) but the SALT is the same.
If the base is lost, no one will be able to restore the Key. If you lose the Config - there is only SALT.
This increases the Attack Difficulty by an order of magnitude.
Of course, you still won't be able to protect yourself from Insider Admins. But at least you, as an Architect, will not show negligence :)