Storing sensitive data securely in a database

Question

I am currently building a website for a nursing home. I have already designed a scheme to store private data in my database, but I would like your opinion about it.

Basically, I have a table patient which stores public (= non-sensitive) information about patients. Some other information (like name, address) are private one and need to be securely stored. I use a public/private key pair, generated by PHP OpenSSL and sent by the website manager. The passphrase is only known by people allowed to access private data (basically, healthcare providers). I would like to store them in an other table. First question, is BLOB the best column type (with MySQL) to store binary data. Or should I convert them (with base64 for example) and store them in a VARCHAR column?

My patient_secure_data table looks like this:

id          INT AUTO_INCREMENT
patient_id  INT (FOREIGN KEY to patient.id)
key         VARCHAR(63)
data        BLOB
env         BLOB

It is a key-value table, where value are sealed by openssl_seal. I need to store the third parameter ($env_keys) to be able to decrypt data. So second question, why do I need this env_keys if I have the passphrase of the private key when I call openssl_open?

Third (and last) question, is it a safe database schema? I mean, can I guarantee that nobody without passphrase can see private data?

Note: I will also use the same key pair to encrypt files stored on disk. But database or files, I can't see any differences regarding security.

Regards,

Guillaume.

_{Sorry if my language is not perfect, I am not a native english speaker... I hope I made myself clear.}

It represents the type of information. It can contain `'first_name'`, `'last_name'`, `'city'`... — Guillaume Poussel, Mar 11 '12 at 11:01

score 2 · Accepted Answer · answered Mar 11 '12 at 11:02

1 - BLOB is my preference because encoding it to base64 will increase both space and processing time (since you will have to also decode base64 before you decrypt)

2 - openssl_seal does not give you the key that was used to encrypt the data. The purpose of env_keys is to store the encrypted form of the generated key. When you call openssl_open, you give it this envelope key and the private key that it needs to decrypt the envelope key. The private key needs to be matched with the public key that was used to generate the envelope key.

3- If your private key requires a passphrase, then technically your data is relatively safe. Even if they have the envelope key and the private key, they won't be able to use it ... but how secure is your passphrase? One thing to realize is that you can almost never guarantee a fully secure scheme, but you can definitely make it tough on hackers. Use your imagination here. Btw, is your passphrase in plaintext in your code?

Thanks a lot for you answer! My passphrase is not in plain text. I do not even know it. — Guillaume Poussel, Mar 11 '12 at 11:05

score 0 · Answer 2 · answered Mar 11 '12 at 10:15

Anything over 500chars should probably be a blob (or clob).
Regarding the keys, you should only store the public key in your public DB. This way you don't have to worry about anyone (passphrase or no) being able to decrypt the data. The private part of the key should be stored in the sensitive DB. You only need the public part to decrypt data encrypted by the private part. I would not store the entire key (public+private) on disk of the server containing the non-sensitive information as this compromises the security of the key.

"You only need the public part to decrypt data encrypted by the private part" - to _encrypt_, right? — silverdr, Jul 04 '23 at 18:54

Storing sensitive data securely in a database

2 Answers2

Linked