1

I have to store AES-GCM encrypted data in a database. Currently we use MariaDB but with the option to later change to PostgreSQL. (however other databases should be considered as well)

Since the algorithm does not actually encrypt strings, but bytes and the output of an encryption algorithm is also a byte[], why not store the encrypted data directly in a binary column?

For MariaDB/MySql that would be as a BLOB. I understand PostgreSQL even has a preferred special data type for encrypted data called bytea.

However most programmers seem to encode the encrypted bytes as Base64 instead and store the resulting string in a VARCHAR.

Encoding to and decoding from Base64 seems counter intuitive to me. It makes the data up to 50% longer and is an extra step each time. It also forces the database to apply a character encoding when storing and retrieving the data. This is an extra step and surely costs extra time and resources, while all we really need to store are some bytes. The encrypted data makes no sense in any character encoding any way.

Question:

Is there any good reason for or against storing encrypted data as binary in a database? Is there a security, data integrity or performance reason why I may not want to store the encrypted data directly as binary?

Holly
  • 1,305
  • 2
  • 15
  • 30

1 Answers1

1

(I assume this question will shortly be closed as "opinion based" - but nevertheless)

Is there any good reason for or against storing encrypted data as binary in a database

No. I don't see any reason against using a proper "blob" type (BLOB, bytea, varbinary(max), ....)

The general rule of thumb is: use the data type that matches the data. So BLOB (or the equivalent type) is the right choice.

Using base64 encoded strings might be reasoned because not all libraries (obfuscation layers like ORMs) might be able to deal with "blobs" correctly, so people chose to use something that is universally applicable (ignoring the overhead in storage and processing).

Note that Postgres' bytea is not "a special type for encrypted data". It's a general purpose data type for binary data (images, documents, music, ...)

  • well I'm not interested in opinions, but objective facts which speak for or against it, if there are none, that is good enough for me – Holly May 08 '20 at 12:01
  • 1
    @Holly I am pretty sure all those, that use base64 encoding can also give "objective facts" why they did so –  May 08 '20 at 12:02