Subject Re: protecting firebird's database
Author Adam
--- In, "kokok_kokok"
<kokok_kokok@...> wrote:
> I have the same problem, I do not know how to protect the database
> against users.
> Of course, the best way is to protect the server, but in my case, it
> cannot work. My application is distributed via Internet, customers
> install Firebird and my application in their PC. I cannot access to
> their PC, but they have free access and all rights.
> Then, they can manipulated the data, change structures, etc... and it
> is a really headache for me.
> Does somebody has a clue about how to protect or encrypt the database
> file in a PC where the user has the administration rights?


The best you can do to prevent them changing something is to calculate
and store a hash of some sort, or to use some encryption technique to
encrypt the data before it is stored. That may be 'secure enough' to
prevent people who aren't seriously interested in your data.

With an open source database, you don't even have the obscurity of the
data file formats to hide your data inside, the source code that
stores and retrieves the data is available to anyone. We all know that
obscuring the data provides no real security, and none whatsoever once
the format is understood.

Your application or a UDF will at some stage have to use a private key
to decrypt the data, and if the administrator has access to the file
system, they can reverse engineer this out.

The fact you are asking if it is possible even after this entire
thread shows you don't seem to understand the problem at hand. It is
like saying that I want to secure my house, except I can't prevent
people from having access to my house keys, so perhaps you could
implement some tricky lock that requires you to insert the key at a
particular speed and hold it in a particular direction for a length of
time before the door unlocks.

While others don't know these rules, you could think your house is
secure, but as soon as someone discovers the secret, your lock might
as well not be there. With the source that reads and writes data pages
to disks publicly available from here:

it is impossible to protect you from that. All built in encryption
could really do is open the possibility for some company to offer
'data recovery services'.