Page last modified 11:03, 2 Sep 2009 by petee
MySQL Security (WIP)
Table of contents
Authentication
- choose a strong password for wikiuser account
- restrict grants to wikiuser@localhost if running mysql locally
- restrict grants for wikiuser to select, insert, update, delete, execute
Transport
- if running mysql and PHP/API on the same server, connect using unix socket (change mindtouch.deki.startup.xml to not connect via port 3306)
- possibly use SSL certs to encrypt session (may require code chages)
- connect over an encyrypted tunnel
Data encryption
Application-level encryption
MindTouch does not do any encryption at the application layer. Therefore, all the data in the DB is plaintext. It may be possible to encrypt data before storing but that would require a lot changes in the MindTouch codebase.
Database-level encryption
There are third-party tools that claim to offer transparent encrytion at the database or table level.
I have not used any of these third-party tools so I'm not exaclty sure how they work
File-level encryption
The /var/lib/mysql directory could be installed on an encrypted filesystem. This would provide security if the disk was ever compromised. However, the filesystem would be mounted at boot time so anyone able to get root access would be able to access the database unencrypted.
- Tag page
- What links here
| Images 0 | ||
|---|---|---|
| No images to display in the gallery. |
You must login to post a comment.
Copyright © 2011 MindTouch, Inc. Powered by