I'm designing a database interface for a system that could store PII. My first focus is on making sure all the data is secure, to do this I have designed the system as follows.
I'm running three separate servers with three separate roles. Server 1, the web interface (Which I will refer to as El Jefe), takes requests from users and processes them, and returns the appropriate information as needed.
Server 2, the cryptographic interface (Which I will refer to as the Bagman) receives information via SSL from El Jefe and encrypts it (Using the Halite interface from Paragon Initiative Enterprises), then passes it on to server 3.
Server 3, the database (Which I will refer to as the Stash) stores the encrypted information it receives from the Bagman. It does not have the encryption keys from the Bagman or anything else like that.
Right now, the data at rest is secure. If the Stash somehow gets broken into, none of the files mean anything and none of the entries in the database mean anything because they're all encrypted, and none of the keys are stored on that server.
However, if the Bagman gets broken into, then all information that gets passed through him can be stolen.
Additionally, if El Jefe gets compromised, he can issue instructions to the Bagman to retrieve, decrypt, and return anything located in the Stash.
To mitigate against this I had the following plan: To minimize any damage from a breach of either El Jefe or of the Bagman I was going to salt the encryption key with a SHA2 hash of the user's password, so even if someone breaks into the Bagman, the keys are worthless without the additional hash of the user's password. However I feel like this falls into the realm of "Rolling your own crypto", which based off my readings for the past 2 weeks is a No-Go. Additionally, I would run into the issue of if a user forgets their password then there is no way to recover their files. Or if they decide to change their password I would have to decrypt, then re-encrypt all of their files.
I apologize for the corny names of the servers, by the way. It helps me remember their roles and visualize what they're doing in my mind. If you can point me in the direction of any resources or additional readings or whitepapers on designing a secure system like this, it would be much appreciated.