tags:

views:

178

answers:

4
+1  Q: 

Encrypted Fields & Full Text Search, Best Approach?

I've got some fields that store notes and sensitive information that I'd like to encrypt before it makes its way into the database.

Right now, I use a SQL Full-Text Search to search these fields. Obviously encrypting this data is going to throw off my search results.

What's the best way to encrypt these fields, but still allow searching?

+1  A: 

There is NO database supporting encrypted index so you have to sacrifice some security to achieve this.

You can index partial data in clear and find the real data from your application. For example, if you want store credit-card number. You can have an index of last 4-digit. The number of cards sharing the same last 4 digit are limited so you can afford to decrypt each one and check the whole number.

ZZ Coder  2009-08-04 17:51:48
+2  A: 

It's not going to be easy. What you're describing is rarely implemented in commercial databases, although there are some theoretical results in the field. I'd suggest that you go to google scholar and start looking for papers on the subject.

Here are a few references to get you started:

bdonlan  2009-08-04 17:53:52
A: 

Another option is to store the soundex of the encrypted data. You can then search on the soundex value and get close without decrypting the data.

Dave  2009-08-14 16:30:14
A: 

Oracle's 10g Release 2 (or later) may support this functionality. From their website here:

http://www.oracle.com/technology/oramag/oracle/05-sep/o55security.html

"A new feature in Oracle Database 10g Release 2 lets you do just that: You can declare a column as encrypted without writing a single line of code. When users insert the data, the database transparently encrypts it and stores it in the column. Similarly, when users select the column, the database automatically decrypts it. Since all this is done transparently without any change to the application code, the feature has an appropriate name: Transparent Data Encryption (TDE)."

The idea is that no one can see the clear text in the database, but a select statement would work as normal. This might help with your searching if Oracle is an option?

Update: there is another option here:

http://www.critotech.com/index.htm

for MySQL databases, but it seems quite expensive.

bwobbones  2009-10-23 04:15:56

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?