Re: Encrypted bank account info

[Ed W <..hidden..>]

> Chris said earlier that in the US, an account and routing number is enough
> to initiate an ACH transfer out.
>    

Yeah, I think the point is that in some countries the banking security 
varies and it's been noted that in the US the account number is 
sufficient that it can be mis-used to withdraw money under some 
circumstances.  I'm not aware of any other countries that have this (low 
IMHO) security requirements for bank account numbers

However, in general if you get your accounting database pinched then you 
are in big trouble for all kinds of other various reasons. eg in Europe 
you might get bothered under the Data Protection Act, etc

I guess the solution is fully layered protection, the following occurs 
to me:

- Encrypt web browser to server (SSL)
- Encrypt sql-ledger to db (SSL)
- Secure access to webserver and cgi files to prevent tampering (OS 
hardening)
- Secure access to postgresql server to prevent tampering (both the sql 
server and the OS)
- Encrypt postgresql on-disk files (encrypting file system),
- AND/OR: Encrypt data inside the database...

The last one seems to be the one you are proposing, but really why not 
encrypt all fields in the DB? You could use a secret key for all the 
data (ie figure out the key and you have the whole db unlocked), or use 
a combo of the secret fixed key, plus some per user info, eg name (this 
provides some additional security because identical fields don't encrypt 
to the same value - ie salting).  The big issue seems to be that server 
side searching is near impossible if you use client side decryption... 
(any server side postgresql encryption solutions?)

This could be handled through the DB abstraction layer...  I doubt there 
would be a significant overhead from simply encrypting and decrypting 
the data.

You have to ask what you are achieving by each layer - encrypting the DB 
at field level helps in the situation that someone finds a way into the 
DB itself (weak password) and dumps the database.  Encrypting the 
on-disk files helps in the case that someone pinches the DB server 
machine, but doesn't help you if they found a weak password while it was 
running...



Sounds good for certain larger customers or paranoid users, but perhaps 
not that high priority right now...?  Leave it on the todo list?


Ed W