Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
Encrypted posts in database
Hi forum,
I have a textpattern installation running with some sensitive content. The pages are hidden from guests and are viewable for logged in users only. No issues so far. Its a pretty straight forward system.
I am wondering, if it might be a good thing to even encrypt these contents in the database? Or am I being too cautious or too worried?
For work-stuff, I am using processwire a lot, and found out about a plugin that encrypts all text contents written to the database:
https://processwire.com/modules/symmetric-encrypted-text/
Is there a similar way to do this with textpattern?
I am not sure, if this is really a necessary thing to do in terms of security. As I understand, contents are being written to databases as readable text pretty commonly. I am no security expert nor a specialist in databases…
What do you think? Am I being overcautious?
Offline
Re: Encrypted posts in database
I’m not a security specialist, but if a bad guy can access your db, he might be able to hack an admin account and then read your contents?
Offline
Re: Encrypted posts in database
Umm, yes. Good point ;)
Seems like its not worth all the hassle to set up such a system. I might just go with my installed txp and keep it simple. That was the reason to use Textpattern in the first place.
Offline
Re: Encrypted posts in database
To add to what etc said, symmetric encryption is only security through obscurity. Assuming we were to implement something similar to that ProcessWire module, anyone with access to the encrypted field contents can split it on pipe, get the IV data and use it to decrypt the content with a couple of lines of PHP to read the key from config.php.
At best, this extra layer keeps the amateurs out. Nothing more.
So it really depends on your reasons for wanting to hide the data. And who you are hiding it from.
If it’s from other Textpattern users in your database then bear in mind that anybody of Managing Editor and above can flick the Allow PHP preference on and thus use a few lines of PHP to decrypt the content. They could also install a database plugin to view and download the encrypted data, read the config.php file, then decrypt the content offline.
If it’s to keep it away from hackers then it’s only as secure as your admin password. Or, rather, as secure as the weakest admin password on whoever you share your hosting machine with. If there’s a ropey bit of software such as WordPress and/or one of its myriad plugins installed and someone gets in there, the filesystem and Textpattern database could be open season.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Encrypted posts in database
Probably not in this form. To be safe, just being logged-in shouldn’t suffice to view the decrypted contents. But using some kind of local ‘in browser’ encryption/decryption system looks feasible, though non-trivial.
Offline
Re: Encrypted posts in database
Thanks guys for clearing things up. Online security can be a beast. (and so simple at the same time, when knowing stuff)
I am not exploring any further to encrypt texts in my db, I think it’s not worth it. It would complicate lots of things and I want to keep this project as simple as possible. Ha, I am usually trying to but my self-taught, autodidactic coding skills are always putting obstacles in the way..
Besides that: such a nice thing to write in the Textpattern forum again after such a long absence. Textpattern was the first cms I wrapped my head around and its so much fun to be back. At least for this small private web page.
Offline
Pages: 1