3

The objective is to secure my database data from server theft, i.e. the server is at a business office location with normal premises lock and burglar alarm, but because the data is personal healthcare data I want to ensure that if the server was stolen the data would be unavailable as encrypted.

I'm exploring installing mySQL on a mounted Truecrypt encrypted volume. It all works fine, and when I power off, or just cruelly pull the plug the encrypted drive disappears.

This seems a load easier than encrypting data to the database, and I understand that if there is a security hole in the web app , or a user gets physical access to a plugged in server the data is compromised, but as a sanity check , is there any good reason not to do this?

@James I'm thinking in a theft scenario, its not going to be powered down nicely and so is likely to crash any DB transactions running. But then if someone steals the server I'm going to need to rely on my off site backup anyway.

@tomjedrz, its kind of all sensitive, individual personal and address details linked to medical referrals/records. Would be as bad in our field as losing credit card data, but means that almost everything in the database would need encryption... so figured better to run the whole DB in an encrypted partition. If encrypt data in the tables there's got to be a key somewhere on the server I'm presuming, which seems more of a risk if the box walks.

At the moment the app is configured to drop a dump of data (weekly full and then deltas only hourly using rdiff) into a directory also on the Truecrypt disk. I have an off site box running WS_FTP Pro scheduled to connect by FTPs and synch down the backup, again into a Truecrypt mounted partition.

Saul
  • 279
  • 3
  • 9
  • 17
  • Not relevant to my answer, but mySQL or msSQL = Microsoft SQL Server? – tomjedrz Sep 04 '10 at 19:35
  • 1
    Apparently TrueCrypt is no longer secure and the [project is dead](http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/). – Stembrain Jun 02 '14 at 14:51

3 Answers3

5

We've been running mySQL on a volume secured by Truecrypt whole-disk encryption ever since they added it as a feature. Before that, we kept the data on a separate volume encrypted by TC. It has been humming away on the same box for over 6 years, and has been remarkably robust and tolerant to things like power-off, RAID degradation (hardware controller w/ RAID 1) and hardware failure. The performance hit for us has been negligible (some would even argue TrueCrypt-encrypted disks perform better, but I wouldn't go that far) whether in an encrypted laptop or a server.

The bottom line from our standpoint (we're also in healthcare) is that disk encryption is just one layer of security in our arsenal, but potentially an important one if physical security is ever compromised. There certainly are lots of scenarios where data could be stolen from a running system with an encrypted drive, but it mitigates the threat of data loss from simple theft, which could be more likely than lots of the other risks that you'd still want to mitigate against. For that reason, we encrypt all of our servers -- TrueCrypt for Windows, encrypted LVM for GNU/Linux.

nedm
  • 5,610
  • 5
  • 30
  • 52
  • Whats the logic on going the whole disk route rather than just the data in a volume nedm? – Saul Sep 05 '10 at 06:45
  • Mostly the possible presence of other sensitive data on the server. WDE also prevents someone who has stolen a server from resetting the local admin password (see http://pogostick.net/~pnh/ntpasswd/) and using it to potentially glean other details and data. – nedm Sep 05 '10 at 06:58
0

I love TrueCrypt, but I don't see much reduced exposure, and a non-trivial amount of added risk due to the key, bugs and possible update problems, and performance degradation.

The only risk whole drive encryption mitigates is data loss when the drive or computer is lost. IMHO that risk is only significant when the computer is mobile. If the physical and system security is good, then IMHO encrypting the drive on which the database is stored doesn't buy you much.

What I would do if possible is implement encryption within the database for sensitive information, so that if someone is able to hack the box or remotely access the data they are out of luck.

tomjedrz
  • 5,964
  • 1
  • 15
  • 26
0

I know that SQL Server doesn't close connections to the database files until the database is shutdown. This has the effect that the timestamp isn't updated, so SQL Server cannot be backed up effectively without stopping the services. I know that's not what you're asking, but that's what I know happens. Due to the same issue, I'd guess there is a high chance of corruption if you suddenly disconnect the volume so I would not recommend doing that - running it from a TrueCrypt volume should be fine as long as you have time to stop the service before dismounting.

James L
  • 5,915
  • 1
  • 19
  • 24
  • The two tags suggest MySQL but the title suggests MSSQL. If it's the former then it's more resilient, but I still would not recommend just dismounting. Best case you're going to end up with MySQL errors and a quick mysqlcheck will suffice. Worst case, your data ends up out of sync with the tables ending in some (or possibly all) data being lost. – James L Sep 04 '10 at 21:39
  • It was mySQL I was talking about, amended type in title – Saul Sep 05 '10 at 06:22