In an effort to increase security of our website, I'm reading up on Gazzang zNcrypt, which claims to protect data in databases from breaches.
Technically, it seems to do filesystem encryption. As far as I know, this is effective against hackers gaining physical access to the harddisk. If hackers manage to login to the DB, SSH, FTP, website or any higher level, they'd just see the decrypted data without effort.
Are these assumptions correct as to the level of security provided by zNcrypt?
I work for Gazzang. Glad to see your question on this forum. Your assumptions are correct in that zNcrypt provides filesystem encryption that protects data on the hard disk from a breach. Depending on your use case, zNcrypt can also help you meet certain compliance regulations.
The TDE can also protect data blocks as well as files, which works particularly well if you're running Hadoop. For added protection, zNcrypt leverages process-based ACLs and software-based key management via zTrustee.
"If hackers manage to login to the DB, SSH, FTP, website or any higher level, they'd just see the decrypted data without effort."
Not entirely correct. The process based ACLs mentioned above protect the contents from other system users. Just logging in with SSH, FTP wouldn't allow access--the data is still encrypted unless those binary processes have access. This includes hiding the data and file names from even root. Granting SSH or FTP full decrypt wouldn't provide much security as most system users have it. Generally the encrypted files can only be read by a specific process in the ACL. Tools like FTP, vi, cat, more (and even ls!) can't read unless granted via ACL.
