Subject RE: [firebird-support] Re: how to protect DATA
Author Dean Harding
How much control do you have over the client’s machine? Can you, for
example, create a new user on it (perhaps during the installation process)?
Can you run a service?



If so, one possibility is to have the FB-accessing code run as a service
under a different user account and then use the encryption built into NTFS
to encrypt the database file.



Basically, the steps would be, during installation:



1. Create a new user account with a random password.

2. Create a service that runs under this account, set it to “Manual”
start.

3. Copy the database file under the new user’s profile path and set it
to encrypted.

4. You can discard the random password once installation is complete.



Now the client program can simply start the service when it starts up, and
talk to the database via that service. It can stop the service when it shuts
down. It’s then up to you to ensure the communication mechanism is secure,
but if you simply provide a “read-only” interface from that point, you
should be OK.



A couple of problems that I can this of:



· It requires an NTFS partition. 99% of people will have one these
days, but you may run into the odd person who does not.

· If the user changes the password of the service’s user account,
the database will be inaccessible (although this could be seen as a feature
J).

· You have to be careful with the access rights you grant on the
service object: you’ll want to allow limited user accounts to start and stop
the service, but you cannot allow anyone to change the service’s
configuration.



When you want to give them a new database, you can simply generate a new
random password for the user, copy the file, update the service to start
with the new password, and discard the password.



Dean.



From: firebird-support@yahoogroups.com
[mailto:firebird-support@yahoogroups.com] On Behalf Of jesus martinez
Sent: Friday, 13 July 2007 3:18 PM
To: firebird-support@yahoogroups.com
Subject: Re: [firebird-support] Re: how to protect DATA




Anderson, thanks for your reply.
i cant do this, because i have to make searches
inside the records

select .... where containing ....

about the other suggestion about using TrueCrypt,
written disadvanges are so clear that it is not
an option.

thanks in advance to both,
j.-

> Hi,
>
> 1) Encrypt the data on the client side then store
> into FB.
> 2) Read the encrypted data from FB, decrypt on the
> client and display.
>
> Does it make sense? (that's what I do when need some
> info to be encripted)
>
>
> Regards,
> Anderson
>
> [Non-text portions of this message have been
> removed]
>
>

__________________________________________________
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya!
http://www.yahoo.com.ar/respuestas





[Non-text portions of this message have been removed]