XF 1.2 Encrypting XF Data store?

[Main Company]

We're setting up a XF instance for a small private group of collaborators and I'm hoping to take as many precautions as possible to secure the data. Hence, I'm looking into the possibility of installing TrueCrypt on the server in order to encrypt the attachment directory. But I have no idea where forum data is stored and whether I can also encrypt or protect this data in any other way. Does anyone have any experience with methods for securing forum content, as I'd be interested in your various solutions.

By the way, we're installing an SSL cert so that all page is done over https. But that doesn't protect the data if the server is compromised.

 

[Jeremy]

The forum attachments are located within the data/ and internal_data/ directories.

 

[Main Company]

The forum attachments are located within the data/ and internal_data/ directories.

Right, but where are posts stored?

 

[Jeremy]

The database.

 

[Main Company]

The database.

MySQL? I assume on the local disk, but where?

So, if MySQL, would I be able to create an encrypted volume on the local disk and tell MySQL to place its data directory in the encrypted volume?

And, if this is possible, has anyone done this?

 

[Jeremy]

I have no experience in encryption. Talking with your host would be the best recommendation on how to see if encrypting your database is possible. They'll know your specific server set up.

 

[Main Company]

I have no experience in encryption. Talking with your host would be the best recommendation on how to see if encrypting your database is possible. They'll know your specific server set up.

Will do. I was just curious if anyone has actually taken these sort of precautions. I know I don't want my content getting into a hacker's hands.

 

[Main Company]

I have no experience in encryption. Talking with your host would be the best recommendation on how to see if encrypting your database is possible. They'll know your specific server set up.

Oh, and just to make sure we're on the same page, I'm not trying to encrypt the db, I'm just hoping to locate the db within an encrypted volume. So, once the machine is booted and the volume mounted, XF should be able to communicate with the db normally. It just means that if anyone tries to reboot the machine in order to hack-in, they won't be able to mount the encrypted volume where the XF db is stored, and hence won't be able to gain access to the db.

 

[Mike]

It sounds like you just want whole disk encryption. If you only encrypt some of the data, you couldn't rely on the binaries not being tampered with, for example (which would allow your data to be accessed later).

That said, once the server is running, the door is unlocked. I would suggest that someone is more likely to get access to your server via software than via physical access, for example.

 

[Main Company]

It sounds like you just want whole disk encryption. If you only encrypt some of the data, you couldn't rely on the binaries not being tampered with, for example (which would allow your data to be accessed later).

That said, once the server is running, the door is unlocked. I would suggest that someone is more likely to get access to your server via software than via physical access, for example.

We are seeking to encrypt a volume only because I don't think my host will give me full disk encryption, but yes, at least I am closing the door on physical intrusion by also including something like Tripwire to monitor binaries, which should at least notify me of binary changes before remounting the encrypted volume after a reboot. In that scenario, I guess I can at least choose to re-deploy another instance of the machine with a copy of the data, rather than continuing to use a machine where the binaries have been compromised, potentially exposing the data. I just don't want to experience what happened to Kickstarter recently, so while it's not perfect, hopefully I can prevent someone from being able to run off with my data.