Re: [Firebird-net-provider] Connecting to encrypted databases
> Binary data should be able to be represented with hexadecimal. And, Good point. > We are looking at implementing our own encryption plugin, but still > undecided how the key will be passed, since our application uses a mix > of Delphi(IBDAC) and C#(EF6). Our initial thought is that it will have > to be on the server with the database, since we can't find proper > documentation on how to pass it from the client, even with the > database management tools, although it is part of Firebird's > architecture. It seems to be one area that third-party tools and Look at op_crypt_key_callback. > And, I'm hoping that I will have the time in the next few weeks to > create a VSIX installer for DDEX, because the registry entries are not > staying and I have to add them everytime that I need to add EF6 classes > to represent tables. Once created, it will surely be contributed to > the project. Great. -- Mgr. Jiří Činčura https://www.tabsoverspaces.com/ -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Firebird-net-provider mailing list Firebird-net-provider@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Re: [Firebird-net-provider] Connecting to encrypted databases
Hi, At July 12, 2017, 5:44 AM, Jiří Činčura wrote: >> I think it makes more sense on the connection string. It already contains >> sensitive info (username,password) and needing to provide connection >> related info by another method would be counter intuitive. > Good point. > In my thinking I saw two problems, slightly different from what password > does. The key can be binary data and that's difficult to pass in string. > And the key might be stored on some HSM. > Not that it would rule out connection string completely, it just makes > fit less, IMO. Binary data should be able to be represented with hexadecimal. And, don't forget that whatever is chosen has to be easily implemented when using Entity Framework. We are looking at implementing our own encryption plugin, but still undecided how the key will be passed, since our application uses a mix of Delphi(IBDAC) and C#(EF6). Our initial thought is that it will have to be on the server with the database, since we can't find proper documentation on how to pass it from the client, even with the database management tools, although it is part of Firebird's architecture. It seems to be one area that third-party tools and components haven't taken much time implementing, maybe because that there is no disk encryption plugin provided out-of-the-box with Firebird, and not enough user interest. Having said that, keep up the excellent work Jiri. And, I'm hoping that I will have the time in the next few weeks to create a VSIX installer for DDEX, because the registry entries are not staying and I have to add them everytime that I need to add EF6 classes to represent tables. Once created, it will surely be contributed to the project. -- Best regards, Daniel Rail Senior Software Developer ACCRA Solutions Inc. (www.accra.ca) ACCRA Med Software Inc. (www.filopto.com) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Firebird-net-provider mailing list Firebird-net-provider@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Re: [Firebird-net-provider] Connecting to encrypted databases
> Which would not be true anymore, except if you add EncryptionKey to > connection string parsing anyway. Of course I would. The builder and connection string options are in sync. -- Mgr. Jiří Činčura https://www.tabsoverspaces.com/ -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Firebird-net-provider mailing list Firebird-net-provider@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Re: [Firebird-net-provider] Connecting to encrypted databases
Not exactly sure what you mean with right away. The reason to not use the existing ConnectionStringBuilder is that it is implicit that it can be converted to a string. Which would not be true anymore, except if you add EncryptionKey to connection string parsing anyway. On 12 July 2017 at 13:51, Jiří Činčurawrote: > > What about a callback on Connection that returns a Connection Info > > (ConnectionStringBuilder-like) object. > > Could also add a connection constructor overload that accepts a > > Connection > > Info object. > > Can then provide all connection data in one place with convenience of not > > converting from/to a string. > > Then the ConnectionStringBuilder can be used right away, no? > > -- > Mgr. Jiří Činčura > https://www.tabsoverspaces.com/ > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Firebird-net-provider mailing list > Firebird-net-provider@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/firebird-net-provider > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Firebird-net-provider mailing list Firebird-net-provider@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Re: [Firebird-net-provider] Connecting to encrypted databases
> What about a callback on Connection that returns a Connection Info > (ConnectionStringBuilder-like) object. > Could also add a connection constructor overload that accepts a > Connection > Info object. > Can then provide all connection data in one place with convenience of not > converting from/to a string. Then the ConnectionStringBuilder can be used right away, no? -- Mgr. Jiří Činčura https://www.tabsoverspaces.com/ -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Firebird-net-provider mailing list Firebird-net-provider@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Re: [Firebird-net-provider] Connecting to encrypted databases
What about a callback on Connection that returns a Connection Info (ConnectionStringBuilder-like) object. Could also add a connection constructor overload that accepts a Connection Info object. Can then provide all connection data in one place with convenience of not converting from/to a string. On 12 July 2017 at 10:44, Jiří Činčurawrote: > > I think it makes more sense on the connection string. It already contains > > sensitive info (username,password) and needing to provide connection > > related info by another method would be counter intuitive. > > Good point. > > In my thinking I saw two problems, slightly different from what password > does. The key can be binary data and that's difficult to pass in string. > And the key might be stored on some HSM. > > Not that it would rule out connection string completely, it just makes > fit less, IMO. > > -- > Mgr. Jiří Činčura > https://www.tabsoverspaces.com/ > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Firebird-net-provider mailing list > Firebird-net-provider@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/firebird-net-provider > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Firebird-net-provider mailing list Firebird-net-provider@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Re: [Firebird-net-provider] Connecting to encrypted databases
I think it makes more sense on the connection string. It already contains sensitive info (username,password) and needing to provide connection related info by another method would be counter intuitive. On 12 July 2017 at 08:55, Jiří Činčurawrote: > Hi *, > > thanks to IBPhoenix I have an plugin > (http://www.ibphoenix.com/products/software/encryptionplugin) to create > encrypted database and I have a working prototype for passing the key. > Now the question of the day. :) > > How to pass the key? The two obvious options are in connection string > and callback on i.e. FbConnection. The callback seems to be an obvious > choice, because it's most versatile. But I'd like to hear some other > opinions as well. > > -- > Mgr. Jiří Činčura > https://www.tabsoverspaces.com/ > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Firebird-net-provider mailing list > Firebird-net-provider@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/firebird-net-provider > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Firebird-net-provider mailing list Firebird-net-provider@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/firebird-net-provider