Subject Re: [firebird-support] Encryption
Author Geoff Worboys
Aage Johansen wrote:
> You are probably right. As I said, I haven't yet seen the
> actual requirements, but what has been reported indicate
> that they aren't easily fulfilled. Encrypting the disc or
> the entire database is probably not enough. Don't ask me
> why (yet). Do the requirements make sense, do they make
> anything more secure (than disk encryption)? Probably not.
> We will just have to comply. I'll probably be back later,
> hoping to be more specific. If it isn't obvious, let me
> just confess: I have next to no experience with encryption
> technology.

A few things.

. Read my notes about the problems of UDF style encryption,
all partial database encryption is going to suffer in
similar ways. The practicalities of full database
encryption are not simple either.

. You do not have to do whole-disk encryption. With the
examples I am giving here (links below) you create a
file that then gets mounted as though it was a disk.
With Truecrypt at least you can even use a sparse file
(NTFS only) so it grows as needed (within the defined
upper limit).

This means you dont have to sell them on the encryption
for all their system (even though they would possibly
benefit from it). You just sell them your product
wrapped in the encrypted file - the security procedure
includes mounting that file as a volume at the server
before anyone can access the database. If the mount
process is manual (the passphrase typed by an authorised
person) then this will give you strong protection even
if someone were to steal the entire disk drive.

. If you are not an expert in security systems you are
best off using a product and the instructions of a
reputable provider. But beware of snake-oil:
http://www.schneier.com/crypto-gram-9902.html#snakeoil


There are three products that I have used in the past:

. PGPDisk (now called PGP Virtual Disk I think)
http://www.pgp.com/
it has been many years since I used PGP products so I cannot
tell you much about their current offerings.

. BestCrypt from Jetico
http://www.jetico.com/encryption-bestcrypt/
it has been several years since I used BestCrypt but at that
time they seemed to be a very responsive provider

. TrueCrypt
http://www.truecrypt.org/
this is what I use now. The website carries on a lot about
"plausible deniability" and hidden volumes and so on. I
suggest you ignore that aspect unless, it seems unlikely to
be of use to you (and I dont find it all that plausible
anyway).

At least the last two have both Windows and Linux offerings.


--
Geoff Worboys
Telesis Computing