How to encrypt data in a SQL database?

Question

Hey HN,I will need to store some sensitive data (API keys, Client Secrets) of my customers in my DB. I was wondering if anyone could help me with these questions.1. What are the best practices for storing client secrets and API keys in a DB?2. Should the encryption be handled in the application level (using a library built on top of Node Crypto) or the database level (with pgcrypto)? What are the pros/cons of each option?3. What are some good encryption libraries in Node.js (I want to avoid rolling my own crypto)?4. At what frequency should I rotate keys? What are some methods to handle key rotation?Thanks a lot!

ameminator · Accepted Answer

Assuming you are using SQLite, an extension exists which will likely do the job: https://www.sqlite.org/see/doc/trunk/www/readme.wiki
Other databases will also have encrypt/decrypt APIs available.
Specific answers to your questions will depend on your application and use cases (local network? global website? credit card data? health data? etc...).

fulafel · Answer

Key management is the interesting part, although it's possible to screw up just in the crypto part as well. Encryption is just a way of substituting the trouble of keeping the key secret vs keeping the data secret.
You're going to match your key management to your threat model.
What are you going to do to keep the key safe in the scenarios of your threat model where an adversary can access the DB contents?

comprev · Answer

Look into something like HashiCorp's Vault for storing sensitive data.Trying to roll your own is asking for trouble!

danielmarkbruce · Answer

https://www.microfocus.com/en-us/cyberres/data-privacy-prote...

ianpurton · Answer

You want to look at acra which intercepts your postgres calls and adds encryption.https://github.com/cossacklabs/acra

simne · Answer

It depend on context, for which You asking.
If it to obey laws, this question of regulations of Your country;
for b2b market, each industry have their industry-wide typical use cases;
for internal use other consideration;
for box product other.

goralph · Answer

If you&rsquo;re using a cloud provider like AWS I&rsquo;d recommend their dedicated solutions for this problem - for AWS it&rsquo;s Secrets Manager

_448 · Answer

Which DB?Some DBs have in built support while others require plugins. The answer will depend on your DB and usecases.

mharig · Answer

Best practice is to NOT store them. At least not on server side.

How to encrypt data in a SQL database?

Look into something like HashiCorp's Vault for storing sensitive data.
Trying to roll your own is asking for trouble!

https://www.microfocus.com/en-us/cyberres/data-privacy-prote...

You want to look at acra which intercepts your postgres calls and adds encryption.
https://github.com/cossacklabs/acra

It depend on context, for which You asking.
If it to obey laws, this question of regulations of Your country;
for b2b market, each industry have their industry-wide typical use cases;
for internal use other consideration;
for box product other.

If you’re using a cloud provider like AWS I’d recommend their dedicated solutions for this problem - for AWS it’s Secrets Manager

Which DB?
Some DBs have in built support while others require plugins. The answer will depend on your DB and usecases.

Best practice is to NOT store them. At least not on server side.

How to encrypt data in a SQL database?

Look into something like HashiCorp's Vault for storing sensitive data.Trying to roll your own is asking for trouble!

https://www.microfocus.com/en-us/cyberres/data-privacy-prote...

You want to look at acra which intercepts your postgres calls and adds encryption.https://github.com/cossacklabs/acra

It depend on context, for which You asking.If it to obey laws, this question of regulations of Your country;for b2b market, each industry have their industry-wide typical use cases;for internal use other consideration;for box product other.

If you’re using a cloud provider like AWS I’d recommend their dedicated solutions for this problem - for AWS it’s Secrets Manager

Which DB?Some DBs have in built support while others require plugins. The answer will depend on your DB and usecases.

Best practice is to NOT store them. At least not on server side.

Look into something like HashiCorp's Vault for storing sensitive data.
Trying to roll your own is asking for trouble!

You want to look at acra which intercepts your postgres calls and adds encryption.
https://github.com/cossacklabs/acra

It depend on context, for which You asking.
If it to obey laws, this question of regulations of Your country;
for b2b market, each industry have their industry-wide typical use cases;
for internal use other consideration;
for box product other.

Which DB?
Some DBs have in built support while others require plugins. The answer will depend on your DB and usecases.