I have an existing database in LAMP which I need to import to our Django application.
There are some 5 columns which I need the values encrypted.
I am looking at this article for reference.
Can I use Django’s SECRET_KEY in settings.py as the key for encrypt/decrypt ?
a. Is there an alternative quicker way to store and retrieve encrypted data in MySQL where MySQL handles this automatically ?
b. Can Django’s ORM handle this by us passing the SECRET_KEY to the ORM functions ?
First, as a general note, you may need to consider the Legal / Regulatory implications of what you’re doing here. If you’re just doing this to satisfy some checkbox on an internal audit, that’s one thing. But if there’s some regulatory requirement that you’re trying to fulfill, I strongly suggest that you do not rely upon any information you receive in this forum without verifying it with a Security Architect that understands those regulations and the requirements that go with them. (Saying that you got your solution on-line - regardless of the source - will not protect you from fines or lawsuits.)
You really don’t want to do that. There could be situations where one needs to be changed without affecting the other.
However, it could be viable to create a new setting for it if you wish to do it that way. (How that setting gets defined or implemented is a different issue, see the note above.)
Not “automatically”. You’ll still have the whole key-management issue. But MySQL provides database functions to support this.
Not intrinsically. I’ve found a couple of PostgreSQL-related libraries that support encrypted fields. You could look at them to see how much work it’ll be to convert one of them to MySQL.
Finally, I’m aware of two quotes that I would love to attribute appropriately, but I can’t find definitive sources for either:
If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.
Cryptography is not magic pixie dust that you can sprinkle on a system to make it secure
Thank you for your detailed response Ken - this is for compliance - the data we need encrypted are access logins / keys of users to various 3rd party-systems.
We’re now exploring Azure Key Vault for this purpose (with key rotation).
The other option that was under consideration was open-source version of hashicorp vault.