Re: [Firebird-net-provider] Connecting to encrypted databases

[Jiří Činčura]

> Binary  data  should be able to be represented with hexadecimal.  And,

Good point.

> We are looking at implementing our own encryption plugin, but still
> undecided how the key will be passed, since our application uses a mix
> of Delphi(IBDAC) and C#(EF6). Our initial thought is that it will have
> to be on the server with the database, since we can't find proper
> documentation on how to pass it from the client, even with the
> database management tools, although it is part of Firebird's
> architecture. It seems to be one area that third-party tools and

Look at op_crypt_key_callback.

> And, I'm hoping that I will have the time in the next few weeks to
> create a VSIX installer for DDEX, because the registry entries are not
> staying and I have to add them everytime that I need to add EF6 classes
> to  represent  tables.  Once created, it will surely be contributed to
> the project.

Great.

-- 
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Firebird-net-provider mailing list
Firebird-net-provider@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider

Re: [Firebird-net-provider] Connecting to encrypted databases

[Daniel Rail]

Hi,

At July 12, 2017, 5:44 AM, Jiří Činčura wrote:

>> I think it makes more sense on the connection string. It already contains
>> sensitive info (username,password) and needing to provide connection
>> related info by another method would be counter intuitive.

> Good point.

> In my thinking I saw two problems, slightly different from what password
> does. The key can be binary data and that's difficult to pass in string.
> And the key might be stored on some HSM.

> Not that it would rule out connection string completely, it just makes
> fit less, IMO.


Binary  data  should be able to be represented with hexadecimal.  And,
don't forget that whatever is chosen has to be easily implemented when
using Entity Framework.

We are looking at implementing our own encryption plugin, but still
undecided how the key will be passed, since our application uses a mix
of Delphi(IBDAC) and C#(EF6). Our initial thought is that it will have
to be on the server with the database, since we can't find proper
documentation on how to pass it from the client, even with the
database management tools, although it is part of Firebird's
architecture. It seems to be one area that third-party tools and
components haven't taken much time implementing, maybe because that
there is no disk encryption plugin provided out-of-the-box with
Firebird, and not enough user interest.

Having said that, keep up the excellent work Jiri.

And, I'm hoping that I will have the time in the next few weeks to
create a VSIX installer for DDEX, because the registry entries are not
staying and I have to add them everytime that I need to add EF6 classes
to  represent  tables.  Once created, it will surely be contributed to
the project.

-- 
Best regards,
 Daniel Rail
 Senior Software Developer
 ACCRA Solutions Inc. (www.accra.ca)
 ACCRA Med Software Inc. (www.filopto.com)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Firebird-net-provider mailing list
Firebird-net-provider@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider

Re: [Firebird-net-provider] Connecting to encrypted databases

[Jiří Činčura]

> Which would not be true anymore, except if you add EncryptionKey to
> connection string parsing anyway.

Of course I would. The builder and connection string options are in
sync.

-- 
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Firebird-net-provider mailing list
Firebird-net-provider@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider

Re: [Firebird-net-provider] Connecting to encrypted databases

[Gerdus van Zyl]

Not exactly sure what you mean with right away. The reason to not use the
existing ConnectionStringBuilder is that it is implicit that it can be
converted to a string.
Which would not be true anymore, except if you add EncryptionKey to
connection string parsing anyway.

On 12 July 2017 at 13:51, Jiří Činčura  wrote:

> > What about a callback on Connection that returns a Connection Info
> > (ConnectionStringBuilder-like) object.
> > Could also add a connection constructor overload that accepts a
> > Connection
> > Info object.
> > Can then provide all connection data in one place with convenience of not
> > converting from/to a string.
>
> Then the ConnectionStringBuilder can be used right away, no?
>
> --
> Mgr. Jiří Činčura
> https://www.tabsoverspaces.com/
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Firebird-net-provider mailing list
> Firebird-net-provider@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Firebird-net-provider mailing list
Firebird-net-provider@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider

Re: [Firebird-net-provider] Connecting to encrypted databases

[Jiří Činčura]

> What about a callback on Connection that returns a Connection Info
> (ConnectionStringBuilder-like) object.
> Could also add a connection constructor overload that accepts a
> Connection
> Info object.
> Can then provide all connection data in one place with convenience of not
> converting from/to a string.

Then the ConnectionStringBuilder can be used right away, no?

-- 
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Firebird-net-provider mailing list
Firebird-net-provider@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider

Re: [Firebird-net-provider] Connecting to encrypted databases

[Gerdus van Zyl]

What about a callback on Connection that returns a Connection Info
(ConnectionStringBuilder-like) object.
Could also add a connection constructor overload that accepts a Connection
Info object.
Can then provide all connection data in one place with convenience of not
converting from/to a string.


On 12 July 2017 at 10:44, Jiří Činčura  wrote:

> > I think it makes more sense on the connection string. It already contains
> > sensitive info (username,password) and needing to provide connection
> > related info by another method would be counter intuitive.
>
> Good point.
>
> In my thinking I saw two problems, slightly different from what password
> does. The key can be binary data and that's difficult to pass in string.
> And the key might be stored on some HSM.
>
> Not that it would rule out connection string completely, it just makes
> fit less, IMO.
>
> --
> Mgr. Jiří Činčura
> https://www.tabsoverspaces.com/
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Firebird-net-provider mailing list
> Firebird-net-provider@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Firebird-net-provider mailing list
Firebird-net-provider@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider

Re: [Firebird-net-provider] Connecting to encrypted databases

[Gerdus van Zyl]

I think it makes more sense on the connection string. It already contains
sensitive info (username,password) and needing to provide connection
related info by another method would be counter intuitive.


On 12 July 2017 at 08:55, Jiří Činčura  wrote:

> Hi *,
>
> thanks to IBPhoenix I have an plugin
> (http://www.ibphoenix.com/products/software/encryptionplugin) to create
> encrypted database and I have a working prototype for passing the key.
> Now the question of the day. :)
>
> How to pass the key? The two obvious options are in connection string
> and callback on i.e. FbConnection. The callback seems to be an obvious
> choice, because it's most versatile. But I'd like to hear some other
> opinions as well.
>
> --
> Mgr. Jiří Činčura
> https://www.tabsoverspaces.com/
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Firebird-net-provider mailing list
> Firebird-net-provider@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Firebird-net-provider mailing list
Firebird-net-provider@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider