I'm developing an API which requires an API key to use. These keys are assigned to users. To figure out which user the key belongs to, I have to store some information in that key. But I don't want it to be seen by "others". So I want to encrypt that value.
- I was first thinking about making an encryption key for each user, but then I figured if the database has been breached, they have the key for each user.
- So instead, I thought I should make a server-side encryption key. But I realised, if they breached the database, they probably don't care much about that encryption key anymore.
And then I started asking myself the question: What can I do to protect the data stored in a database, even if it has been breached?
For example, does it make sense to encrypt the values inside the database? I would assume not due to the time needed to decrypt everything again which would make for a bad user experience. So what options do I have?