From MySQL internal doc, I am presuming that keys of keyring_aws are stored locally after generation. All the mandatory information like master key needed to decrypt table is configured locally using variable named ‘keyring_aws_cmk_id’.
If Intruder gets disk access then he/she get access to Mysql data directory and the master key stored in mysql conf file. Could be of great help if anyone could share some insights on security.
You can use a simple symmetric encryption, like ChaCha20-poly1305, to encrypt the data with a key derived from the password, using Argon2id for example.
The service MEGA is using a similar approach. This just an example of an implementation and not an endorsement of this particular service.
There is no foolproof way. Since you can’t trust the system, you can’t reliably verify the integrity of the image you will be using to create the bootable USB or, for that matter, of anything else. No matter what you do, it is possible for the malware to have interfered with it.
You could, however, do something the malware would likely not expect. Like make a bootable USB for a lightweight Linux distro, boot live from it, and then make the Windows 10 bootable USB from the live Linux OS. It is quite unlikely for a Windows malware to infect Linux as well, but for that matter, it is unlikely for malware to infect bootable USBs in the first place.
After days of searching on the internet – I really need you help.
I have fresh installation of Ubuntu 20.04. No additional software has been installed. Also no changes to the system have been made. It is really just clean installation from DVD and update through “software update”.
I want to connect an USB-drive to this system and format it. I do not need to open any files from USB-drive. The only purpose is to have a fat32 formatted USB-drive.
How to perform this action without risking to get a worm or any other malware potentially contained on the USB-drive?
First of all, is my understanding correct that primary keys and subkeys are all key pairs consisting of a private and a public key?
I get the rationale behind using primary keys and subkeys1, and why one should keep the private primary key (or master key) “very, very safe“, but not sure what the consensus is on handling the public primary key? Is this the one that should be shared with others or uploaded to a key server2? (Sometimes this may be an explicit requirement.)
It was also confusing to see sentences such as “GnuPG actually uses a signing-only key as the master key” but realized that this refers to the private primary key because (quoting from the same source)
You use the private key to digitally sign files, and others use the public key to verify the signature. Or, others use the public key to encrypt something, and you use the private key to decrypt it.
(2): Superuser thread: Where to upload PGP public key? Are KeyServers still surviving?
I am building a payment app where I need to pass a transaction ref and payment id to a next step in the payment process to verify a payment… For authenticated users this is handled all in the server, saved and retrieved there…Now I am creating a payment feature where non authenticated users can pay users but i can not use session…What i am thinking of doing is first encrypting the data(ref and id) in server using AES 256 bit and then send them to localStorage, in the next process retrieve the data, decrypt and finish processing the payment, once payment is successful, delete the data…just want to know if this is ok or if there are security issues with it.
I am developing a web application which will require users to provide 3rd party API keys through the client, which will then be used to make requests to the 3rd party API from the backend of my app.
After researching, I believe the best way, and standard practice, is to store these API keys as plain text in my database.
However, my question lies in the security of these keys while they are in the process of being sent from the client to the database.
To further clarify, the 3rd party API keys will be entered by users client-side through a standard HTML form, and upon being submitted, the client will make a post request to my backend, which will in turn store the keys in mongodb.
Would bad actors be able to access these keys via dev tools or some other malicious means while they are in the process of being sent from the client to the backend?
If so, what actions can I take in order to secure them further while they are being sent from client to db?
The following constraints apply
In our company, we are developing cutting-edge and critical software which they will deploy on mission critical product, so I wanted to know how should I make the whole process from software development to software deployment secure? i.e. no one (from internal or even cybercriminal) could make some changes and modifications to our software. So for this purpose, what standard or best practices I should follow?