I'm using Perl/MySQL/Apache to make a small internal information-sharing app. There will be users with different security levels, and many of those users are likely to have root/admin privileges to the host server and other parts of our network.
I had originally designed something like this:
A master key would be used to encrypt all the content, but obviously I don't want this key stored in plain-text (in code, nor the DB), so there would be a Keys table where each user's public key is used to encrypt a copy of the cipher. If for some reason the master key should need to be changed, the key copies could all be regenerated and no data would be lost.
Each user would have an entry in the Users table, with their password and their private key encrypted with a hash of their plain-text password. On login, the text would be used to decrypt and compare with the stored encrypted password to verify identity, then to decrypt the private key, stored on the server in a session variable until logout.
What I would like to do is use AD authentication via LDAP instead of a local password for all but the Admin user. But, since the users' passwords could change between logins, I can't rely on that as cipher text to encrypt/decrypt the private keys.
So my question is this: What is a reasonably secure piece of private data I can use from AD as a cipher? I don't want this to be apparent to anyone with access to AD Users & Computers or the like, though I would of course have to be able to get this info from a server process somehow. (Maybe through user impersonation?)
Any other ideas or gaping holes in this process? I know the server process potentially could be exploited to dump memory contents, or a root user might be able to read the same through raw access, but that is acceptable risk. Ultimately anyone with root or physical access is generally trustworthy. Nonetheless, I want the database contents encrypted to keep honest folks honest.
