• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Securly storing sensitive data in database

 
Daan Heuvelbeuk
Ranch Hand
Posts: 67
MySQL Database Netscape Windows XP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In my application I'm storing sensitive data (sort off), like Economic Operator Registration and Identification numbers. In the Netherlands freelancers need to supply their Civilian Service Number (in the Dutch BTW Number). With that number it is possible to steal someone's identity. I was wondering how to store such sensitive data in the database. It is not possible to store it in SHA encrypted format, as it is a one way encryption. Any suggestions?
 
chris webster
Bartender
Posts: 2407
33
Linux Oracle Postgres Database Python Scala
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you're in the EU and storing confidential information, there are probably lots of legal data protection requirements that apply. Your organisation should have some kind of data protection officer, whose job is to ensure compliance with these regulations. If your organisation already stores this kind of data, they should have some kind of standards for implementing secure storage that you could use as a guide for your application. If not, you probably need to take some advice from somebody who knows what they're doing here: the penalties for getting this wrong can be quite severe, both in terms of fines and lawsuits and also in terms of reputational damage to the organisation.
 
Daan Heuvelbeuk
Ranch Hand
Posts: 67
MySQL Database Netscape Windows XP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for pointing out the "legal data protection requirements" that exist in the EU. Sadly I'm not connected to an organisation. I can not discuss it with the data protection officer. However, "legal data protection requirements" gives me some idea to search further.
 
Daan Heuvelbeuk
Ranch Hand
Posts: 67
MySQL Database Netscape Windows XP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I stumbled upon Jasypt. I could encrypt sensitive data in a properties file, or in the database. Is it an option to store the sensitive data encrypted in the database?
 
Tim Moores
Bartender
Posts: 3128
50
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There are numerous Java libraries for doing encryption, including the built-in JCE API. So, yes, using two-way encryption is an option, possibly using a cipher such as AES. But then you need to think about how to store the encryption key - that will require a risk analysis, so you know what exactly you're trying to protect against.
 
Daan Heuvelbeuk
Ranch Hand
Posts: 67
MySQL Database Netscape Windows XP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just pondering.

An encryption key has to be an array of characters. It can be anything, as long as my program knows what it is. Could I use a SHA encrypted field from the database as key? For each user I store the password and username encrypted with SHA in the database. As the password should be changeable you can not use it as key. But a username is unique and the same, as long as the user uses the application. And each user has his own user name, so each user has his own secret key. And the used key can only be found by someone analysing my bytecode, and who has access to the database.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic