Need to seek architectural advice !
Currently, have sensitive data at Database (say user's SSN) as plain text
It has to be encrypted.
Approach 1: Encryption at Code
- Some Crypto built in library can be used to encrypt (using key stored at vault)
- The EncryptedText can be stored to DB column
- For retrieval, SELECT upon this DB table from DAO, use Decrypt function at code, return Decrypted response
Approach 2: Encrypt the DB's column
- apply a trigger to column, which would encrypt INSERT data for that column
- For retrieval, database offers Decrypt methods which can be used at SELECT query at DAO layer
Parameters to decide:
- Performance
- Code quality (appears cleaner at Approach 2)
- Encryption strength (would both approaches provide similar strength at encryption)
Currently, the application code is in php Laravel and DB is MySQL
Encryption algorithm planned to use: AES 256 CBC
question from:
https://stackoverflow.com/questions/66063915/encryption-at-code-vs-encryption-at-db-column 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
