I am creating an application for work. I need to be able to hash a persons phone number and DOD ID number in the database. I looked at ChatGPT and it gave me some suggestions, they worked on hiding the actual numbers but the only issue is that it hashed in the database and in the admin panel. I just want it hashed in the database. So if someone was able to get ahold of the database then the data isnt visible. But I want it to be visible in the admin panel so I can do a search by a person DOD ID number or by name. Eventually once I get into creating a frontend with html I will also want the DOD ID number to be visible (to authenticated users)
You want it encrypted, not hashed. A hash is a non-reversable operation. If you have a hash, you cannot recover the original text.
For encryption, you’ll have a password or private key that needs to be maintained.
You’ll need to decide whether you want to do this in Django or directly in the database layer. (See PostgreSQL: Documentation: 16: 19.8. Encryption Options to start getting an idea of how PostgreSQL provides these facilities.)
You’ll also want to decide how you’re going to handle these credentials, and exactly what risk you’re concerned about.
For example, there are three different types and degrees of risk that you need to consider:
- Someone physically stealing your server,
- Someone getting root access to the os that the database is running on,
- Someone getting inappropriate access to the admin app in your project.
The probability of each of these three happening are different, as are the common mitigation strategies for each.
Your security policies and risk assessments will help guide you toward the appropriate solutions.