I need to encrypt some specific columns in mysql database. I researched and found few ways like AES_ENCRYPT functions, but these solutions requires sending the key value in the query.
I am looking for a solution where password can be stored in database some location and mysql can automatically use that value to encyrpt or decrypt that particular column?
Thank you.
Related
I need to create a password field. I couldn't find anything similar in Laravel Migration document.
Please help.
There is no md5 datatype in Databases. Make a varchar field for password. And put your md5 encrypted data in there.
When you use the DES_ENCRYPT/DES_DECRYPT function in mySQL you can point to your keyfile from my.cnf using the --des-key-file variable.
I thought this should also exist for
AES_ENCRYPT/AES_DECRYPT
So I searched for hours but couldn't find it: is there an equivalent for AES for this?
As far as I can tell from the documentation, no such option exists for AES_ENCRYPT. Instead, you are supposed to pass the key as a parameter directly in the query.
This answer on DBA.SE suggests writing a User Defined Function that returns the key as one possible work-around.
Alternatively, you might want to consider not using the MySQL AES functions at all, and instead just doing all encryption and decryption in the client application. One potential advantage of such an approach is that, in order to obtain and decrypt the data, an attacker then needs to compromise both your database and your application.
I've recently migrated a huge MSSQL database to MySQL using MySQL Workbench. It worked nearly perfectly, an we're now attempting to rewrite all the stored procedures.
For login, all the password were encrypted using Mssqls method "encryptbypassphrase".
I don't want to demand that all the users change their passwords- is there some equivalent to decryptbypassphrase that will work for MySQL? So that I can keep all the passwords, and the same encryption methods?
Thank you!
I do store my passwords as a bcrypt hash in a MySQL database. With MD5 and SHA1 it was possible to run the hashing function inside the database. Now I wonder if it is possible to run bcrypt inside MySQL. I would like to create user account inside the database.
I could not find it in the manual or did I miss it? Maybe as stored procedure?
As soon as you use a unique salt for each password (and save it together with the password), you won't be able to do the verification in a single SQL statement, especially not with a slow hash function.
In a first step we should make a query to get the hash-value (and the salt) by username, then in a second step we can validate the entered password with this hash-value and the same salt. If you try to do this in a single SQL statement, the database would have to calculate the hash for each row until a match is found, with a slow hash-function like BCrypt this query would overload your server.
I want to store the email addresses of users in a MySQL database using encryption to ensure that they won't be made public if the database gets compromised. I believe if I encrypt them with mysql's AES_ENCRYPT() function I can not create an index in an INNODB table because I have to use a BLOB datatype. If the table gets very large selects it will take a long time.
What is the best solution for securing email address but still being able to query them fast and preserve them as unique values in the column?
When a user registers on your site, use AES_ENCRYPT() to encrypt the email.
INSERT into users (email) VALUES (AES_ENCRYPT('someemail#example.com', 'aeskey'));
When you query your database, you can call the AES_DECRYPT() function like this:
SELECT AES_DECRYPT(email, 'aeskey') from users;
If you hash the addresses with SHA-256 or something similar, you can still index your tables, you can still do fast address lookups (when a user searches for example#example.com, you'll just hash the input and select matching hashes in the tables).
ssh uses a very similar hashing trick. (Look for the -H option in that manpage for details.)
AES_DECRYPT(email, 'secretkey') and AES_ENCRYPT(email, 'secretkey') is optimal solution,
I am not 100% sure about beeing unique after encryption but theory said if email is unique encription should be unique