Application encryption scheme

[sqlvs]

We've got a web-based application where users are filling out forms,
and there's a potential requirement that user information be encrypted
as it's submitted, and not decrypted and available for administrators
to review until users submit the forms for final approval. So the user
may partially or completely fill out the forms, we store the encrypted
data until they click a final submission button, at which point it
becomes unencrypted and available for administrators to review. It's a
privacy consideration.

Has anyone here worked on an application like this before and, if so,
how did you approach it? Did you do anything special in the database
tier or was all the encryption handled in application code? It seems
like overkill to us and in fact may not end up being a requirement
(especially if we can't find a viable scheme for managing it), but I'm
hoping there's an established strategy or pattern to accommodate the
requirements.

Any ideas?

 

[Natty Gur]

Hi,

Not the same but ... I need to enable my users to encrypt some of their
"Account" data. To achieve it I'm using DB to store user Key that he
choose (for recovery reasons). I use Rijndeal in my application level
(yes, it's a service) to encrypt and decrypt user data (by using key
that user submit).

HTH

Natty Gur[MVP]

blog : http://weblogs.asp.net/ngur
Mobile: +972-(0)52-8888377


*** Sent via Devdex http://www.devdex.com ***
Don't just participate in USENET...get rewarded for it!

 

[bruce barker]

its pretty common requirement to encrypt credit card numbers, social
security, etc. before storing in a database. the closer to input and display
you can put the encrypting the better.


-- bruce (sqlwork.com)

 

[sqlvs]

Thanks for the responses, guys. It could be that I'm over-thinking
this a bit. Certainly many applications encrypt some data elements. I
just think of this differently since it's everything that's being
encrypted. But I guess the principles are the same.