[Firebird-net-provider] Connecting to encrypted databases

Discussion:

Jiří Činčura

2017-07-12 06:55:47 UTC

Hi *,

thanks to IBPhoenix I have an plugin
(http://www.ibphoenix.com/products/software/encryptionplugin) to create
encrypted database and I have a working prototype for passing the key.
Now the question of the day. :)

How to pass the key? The two obvious options are in connection string
and callback on i.e. FbConnection. The callback seems to be an obvious
choice, because it's most versatile. But I'd like to hear some other
opinions as well.

--
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

Gerdus van Zyl

2017-07-12 08:10:44 UTC

Permalink

I think it makes more sense on the connection string. It already contains
sensitive info (username,password) and needing to provide connection
related info by another method would be counter intuitive.

Post by JiÅÃ ÄinÄura
Hi *,
thanks to IBPhoenix I have an plugin
(http://www.ibphoenix.com/products/software/encryptionplugin) to create
encrypted database and I have a working prototype for passing the key.
Now the question of the day. :)
How to pass the key? The two obvious options are in connection string
and callback on i.e. FbConnection. The callback seems to be an obvious
choice, because it's most versatile. But I'd like to hear some other
opinions as well.
--
Mgr. JiÅÃ ÄinÄura
https://www.tabsoverspaces.com/
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider

Jiří Činčura

2017-07-12 08:44:13 UTC

Permalink

Post by Gerdus van Zyl
I think it makes more sense on the connection string. It already contains
sensitive info (username,password) and needing to provide connection
related info by another method would be counter intuitive.

--
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

Gerdus van Zyl

2017-07-12 10:49:12 UTC

Permalink

What about a callback on Connection that returns a Connection Info
(ConnectionStringBuilder-like) object.
Could also add a connection constructor overload that accepts a Connection
Info object.
Can then provide all connection data in one place with convenience of not
converting from/to a string.

Post by JiÅÃ ÄinÄura

Good point.
In my thinking I saw two problems, slightly different from what password
does. The key can be binary data and that's difficult to pass in string.
And the key might be stored on some HSM.
Not that it would rule out connection string completely, it just makes
fit less, IMO.
--
Mgr. JiÅÃ ÄinÄura
https://www.tabsoverspaces.com/
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider

Jiří Činčura

2017-07-12 11:51:26 UTC

Permalink

Post by Gerdus van Zyl
What about a callback on Connection that returns a Connection Info
(ConnectionStringBuilder-like) object.
Could also add a connection constructor overload that accepts a Connection
Info object.
Can then provide all connection data in one place with convenience of not
converting from/to a string.

Then the ConnectionStringBuilder can be used right away, no?

--
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

Gerdus van Zyl

2017-07-12 13:10:20 UTC

Permalink

Not exactly sure what you mean with right away. The reason to not use the
existing ConnectionStringBuilder is that it is implicit that it can be
converted to a string.
Which would not be true anymore, except if you add EncryptionKey to
connection string parsing anyway.

Post by JiÅÃ ÄinÄura

Then the ConnectionStringBuilder can be used right away, no?
--
Mgr. JiÅÃ ÄinÄura
https://www.tabsoverspaces.com/
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider

Jiří Činčura

2017-07-12 13:29:58 UTC

Permalink

Post by Gerdus van Zyl
Which would not be true anymore, except if you add EncryptionKey to
connection string parsing anyway.

Of course I would. The builder and connection string options are in
sync.

--
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

Daniel Rail

2017-07-12 12:30:15 UTC

Permalink

Hi,

Post by JiÅÃ ÄinÄura

Binary data should be able to be represented with hexadecimal. And,
don't forget that whatever is chosen has to be easily implemented when
using Entity Framework.

We are looking at implementing our own encryption plugin, but still
undecided how the key will be passed, since our application uses a mix
of Delphi(IBDAC) and C#(EF6). Our initial thought is that it will have
to be on the server with the database, since we can't find proper
documentation on how to pass it from the client, even with the
database management tools, although it is part of Firebird's
architecture. It seems to be one area that third-party tools and
components haven't taken much time implementing, maybe because that
there is no disk encryption plugin provided out-of-the-box with
Firebird, and not enough user interest.

Having said that, keep up the excellent work Jiri.

And, I'm hoping that I will have the time in the next few weeks to
create a VSIX installer for DDEX, because the registry entries are not
staying and I have to add them everytime that I need to add EF6 classes
to represent tables. Once created, it will surely be contributed to
the project.

--
Best regards,
Daniel Rail
Senior Software Developer
ACCRA Solutions Inc. (www.accra.ca)
ACCRA Med Software Inc. (www.filopto.com)