I have a encryted database and decryption key. How to keep decryption key away from hacking(Both database hacking and unauthorizated accessing PC.)?
Moreover, I need algorithm for encryted data. What's the best algorith for doing this in security per decryption time term?
Thanks,
You are asking the wrong questions: first you need to decide how secure you need things to be. Then you need to decide whether you want symmetric (think DES, shared key)) or asymmetric (think RSA, public and private keys), and also think hard about key management, because that is often the point of weakness.
Asymmetric algorithms are orders of magnitude slower than symmetric ones; they are often used to protect a symmetric key, rather than on the whole data.
I interpret your description that it is necessary to hold the decryption key SOMEWHERE on the database machine to carry out your work.
Given sufficient knowhow and access to the hardware you cannot protect your database that it is impossible to break through your encryption.
For all other cases where physical access is not possible you should refer to the encryption guidelines which exist for all major databases using the specific technologies unique to most platforms.
depends upon your need and environment... for instance you can keep the key in usb or some other hardware device
There is no way to "keep the decryption key away from hacking" if you store it with the encrypted data. Period. Key management is often the hardest part of any security policy.
As for encryption algorithm, RSA is a very different type of algorithm to AES and twofish (see http://en.wikipedia.org/wiki/Symmetric-key_algorithm#Symmetric_vs._asymmetric_algorithms).
To answer both questions will require more information. Exactly why are you trying to encrypt the database? What threat are you trying to manage?
It will never be perfectly secure, especially given physical access to the machines, but you can make it difficult.
Use 3DES to encrypt the database fields you want to protect. Note that you will not need to encrypt every field, and you shouldn't. (both for speed, and because if you lose the key, you'll at least have a clue what you need to do)
Do not store the key on the database server. If you must, store it on a different drive than the database or web app.
Keep a backup of the key on a thumb drive or something. Do not skip this step.
Split the keyfile into several different files, scattered over different folders and different drives. Do not use names that indicate the purpose of the files. Store the locations in the registry.
Use code to read the registry, fetch the pieces of the key, and assemble them. Write this code yourself, and do not use a name that indicates the program's purpose.