On Saturday, August 22, 2015, Brian Vraamark <brian.vraam...@plandent.dk> wrote:
> On windows you can use DPAPI. I don't know if Linux (and other systems) > has something similar (maybe Gnome-Keyring?). > > I have a strong preference for portable, transparent solutions. In theory, Microsoft has the same problem that unattended startup without a remote connection has, which is everything Microsoft uses to decrypt private data is present on the local machine. Ultimately, Microsoft can only obscure it, which is why the recommended usage requires an external user dialog and password. There is also the small point that it has been broken (see Wikipedia). > On the server you need to create an account used exclusively by the > Firebird Service. Firebird can then use CryptProtectData() and > CryptUnprotectData() to encrypt the database key and store the encrypted > data in files (maybe hex/base64 encoded in database.conf). > > Working with keys in memory can be protected with CryptProtectMemory() and > CryptUnprotectMemory(). It prevents others from viewing the key when the > process is paged out to the swapfile. > > One important thing to remember is that if someone reset (not change) > user's (firebird service account) password you will be unable to decrypt > your data > > > Brian Vraamark > > > -- Jim Starkey
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
