On Monday 08 May 2017 17:35:59 Antonis Christofides wrote: > > Unfortunately, that doesn't prevent theft at runtime, which is the > > primary case for encrypting "documents". I used to do something > > like this with svn passwords, using a file-backed mdconfig store > > and geli. > > But during runtime, Django has access to the unencrypted database > (otherwise it wouldn't be able to work). So any attacker who has > managed to compromise Django
You assume Django is compromised. I don't. Could be the webserver. Could be some other application that exposes the file. Another use case for encrypting the sqlite database is that it doesn't have authentication, so you cannot pass on login credentials to the database like you do with a "real" database system. This is one way for embedded systems to personalize devices without having to manage another server component. With IoT security being under a microscope these days, I can see the potential. And from experience, Django runs fine on a Raspberry Pi and is an easy way to provide a user interface that is accessible from anywhere. -- Melvyn Sopacua -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/27229024.NH8PPNG8h5%40devstation. For more options, visit https://groups.google.com/d/optout.
