Hi Anthony,

I assume that you have customize website which is running on encrypted database on mysql 5.6 or at least developed a database layer to connect with database. 

IMHO Magento database layer is supporting unencrypted database but if you are keen on using encrypted database then you can develop your database layer or need to find a solution for it. I agree that DB shouldn't resides on same machine and should be hosted separated due to performance and security reasons. You can keep magento platform and database separately on different machine as well, i.e. in the AWS, you can keep both server on the same VPN and restricting public access to database layer.

Let me know if you have any question.

Cheers,

Kapil

Hi, are you talking about the Magento encryption key support or a MySQL feature? Magento encryption key is not used "for the whole database", and it is not stored in the database.  It is stored in the app/etc/env.php file on disk

The encryption key is certainly available to the web server, just as the database is. If this was not the case it would not be possible for the web server to access database content! So if the physical server is compromised, then your data is effectively compromised (because you can change the web server code if nothing else).

The encryption key can help secure your database backups however (as long as you don't back up the env.php file in the same backup as the database contents). So the encryption key does help, just not against compromised servers.

Also please note the Magento encryption key in M2 is used much less than M1. We have moved away from any options allowing storing of credit card data in Magento tables, so there is only a small amount of data still encrypted in M2. (I am still checking exactly what is encrypted - it might just be some password hashes left.)

Hi,

Thanks all for your responses.

I fully understand that in many cases a decryption key needs to be available to the webserver I am just less convinced that storing it on the frontend server is a particularly good idea. There are also many key management implementations where the key is stored off the frontend webserver which in many cases never even has to see it.

Certainly I know of many organisations who specifically exclude the storage and use of private keys used for data storage on publicly facing severs.

I am also a little concerned that the use of encryption by Magento is seemingly focused on payment card data. There are many other types of data that organisations consider sensitive and which may have a requirement to be stored and for which encryption may be appropriate. Such data could include commercially sensitive information such as discount amounts, trade pricing and cost prices but also data that could be considered to be personally identifiable information such as name and address.

Reading between the lines I think that I have my answer but would welcome some detailed documentation specific to Magento.

However I now have another question with regards to passwords. Are you saying that the password hashes are encrypted or that the passwords are just encrypted. Hashes and encryption aren't really the same thing. If Magento is storing non-reversible hashes of passwords then that is one thing but if it is storing the actual password in an encrypted form then that is another.

Many thanks,

Anthony.

To be clear, Magento 2 *never* stores credit card data. There were *some* card processors where this could be done in Magento 1, but Magento 2 has moved completely away from this approach. It is all based on tokenization now, which is why the "payment gateway" process in Magento 1 has also been completely dropped in Magento 2. It is simply no longer required due to advances in technology provided by the payment providers. This makes PCI compliance much easier with Magento 2 as well.

I am still chasing down exactly where we still use the encryption keys. My partial understanding is they may be used as part of the hash seed of password hashing (normally prod and test environments have a different key, so it forces passwords to not work when copying between environments - something like that, I am vague on details). There was also a possible use for encryption of payment gateway credentials, again so if copied between environments you cannot accidentally send test requests to your production account (the key will stop working). I believe these are more around protection if you copy a prod DB to a test environment - less about security, more about making sure you don't send test purchases to your production payment provider by mistake. But I still need to confirm.

Thanks for this.

I actually don't have any concern around payment information. I am satisfied that a non-cryptographic and non-reversible token has no real value. My concern is around other sensitive data, such as PII, that will end up being stored in the DB backend. 

I had suspected, and nothing that has been said to date,has me any reason not to continue to expect, that encryption of data at rest in the DB is transparent to Magento.

Many thanks,

Anthony.