How can I store that use data encrypted on database & in local storage, so that only user can see/modify/delete it?


#1

I am creating a website, where I want to store user data in encrypted form, which can be accessible by only user.

Thanks in advance.


#2

The most basic way would be to use their password to encrypt / decrypt their data using symmetric cryptography. That’s pretty much how LastPass does it.


#3

Thanks for help. I will try this.


#4

Are you talking about user data e.g. passwords?


#5

Not only password but all user data.


#6

I would advise you to focus on securing your application in a better way rather than encrypting the individual fields on the database.

Remember, encrypted fields might no longer may be searchable.

So, you can try to learn about the best practices about securing your web application. Kindly consider reading about Owasp Top Ten

Also, when it comes to the security of the database, you can go with a hosted solution like ApsaraDB for MySQL because Alibaba Cloud has put security measures in place to mitigate known types of attacks like DDoS, Bruteforce, SQL injection etc

Also remember Alibaba Cloud has passed the ISO2700:2005 (Information Security Management System) certification.

However, if you still too much concerned about real-time encryption, you can read other approaches that companies use such as encrypting data before sending it to MySQL or probably encrypting the disk that holds the MySQL data.


#7

Thank you for all your suggestions and they are good!

But, the whole discussion is around encrypting the data so that anyone, including me who has access to the database, will not be able to see the actual password or sensitive data. This way, it will provide a sense of complete security to the user as the entire data is encrypted.

Application security might help the user to protect the application against threats from outside but I am trying to protect the sensitive data from my own employees or organization.

I guess this could be achieved using certificates but I am bit confused about it. It would be helpful if you could explain about certificates or if you have better alternatives.