Re: Database Encryption (now required by law in Italy)

Alle 13:53, venerdì 5 marzo 2004, Mitch Pirtle ha scritto:
> The same logic applies to encrypting the data in the database -
> somewhere on your server the application has to know how to decrypt it,
> and that means anyone that gains access to your server will have that
> ability also...

That's true, of course but...
1) The cryptographic keys used by the application to access the data could be
stored (encrypted) inside a compiled C/C++ or Delphi/Kylyx program.
2) No matter what we think about data encryption, a (stupid) italian law
enforces it ("Allegato B, Decreto Legge 196/03, Dicembre 2003).
3) As I told in another message, our law prohibites that our SysAdmin had
access to data. Just authorized operators can read them.

> I understand (and demand) requiring SSL connections for database
> clients, and MD5 hashing of passwords before storing in the database,
> but implementing two-way encryption of database data just doesn't make
> sense to me.

Neither to me, actually, but it makes to our law-makers (Have you heard of
Silvio Berlusconi?).

See you
-----------------------------------------
Alessandro Bottoni and Silvana Di Martino
alessandrobottoni@interfree.it
silvanadimartino@tin.it