Subject | Re: [Firebird-Architect] Re: database encryption |
---|---|
Author | Jim Starkey |
Post date | 2010-11-08T15:43:21Z |
On 11/8/2010 10:32 AM, Alex Peshkoff wrote:
to manage keys.
pair at server start up time so I don't have to store the private key on
disk. But are alternatives, depending on how much you trust the
security on the disk. If you're considering page level encryption, by
definition you don't trust the disk.
supporting both line and page level encryption.
--
Jim Starkey
Founder, NimbusDB, Inc.
978 526-1376
> On 11/08/10 18:15, Jim Starkey wrote:There is no point in having an encryption interface without a mechanism
>> On 11/8/2010 6:38 AM, Daniel Rail wrote:
>>> I suggest here not to go into details of crypt implementation (what
>>>> algorithm, what library, etc.). Instead interfaces needed to support
>>>> line& file encryption should be defined.
>>> It's all that I'm asking for, is interfaces to be able to define our
>>> own line and file encryption.
>>>
>> I'm afraid that just adding interfaces isn't nearly enough. To do even
>> plausible line encryption (out of SSL), you need the following:
>>
> Certainly, we need to have all of this. Only interface is definitely not
> enough. But as far as I've understood Daniel, interface is enough from
> user's POV to be able to write crypt plugin with crypt algorithm
> particular user needs.
to manage keys.
>> 1. Creation or maintenance of a public key pair on the server for keyThat's something to be decided. For NimbusDB, I generate an RSA key
>> transmittal.
> Suppose this is one more hook on server startup. How does plugin
> generate keys (or loads from disk - for line encryption that is probably
> acceptable) is not our problem.
pair at server start up time so I don't have to store the private key on
disk. But are alternatives, depending on how much you trust the
security on the disk. If you're considering page level encryption, by
definition you don't trust the disk.
>> 5. Hooks in PIO for page encryptionI think that makes sense as long as the architecture is capable of
> Sorry - may be we can start with line encryption? :)
supporting both line and page level encryption.
--
Jim Starkey
Founder, NimbusDB, Inc.
978 526-1376