On 26-4-2018 13:45, Alex Peshkoff via Firebird-devel wrote:
On 04/26/18 14:11, Mark Rotteveel wrote:
On 26-4-2018 12:28, Alex Peshkoff via Firebird-devel wrote:
You understood me wrong - database encryption callback is supported
in services connections. _UTILITY_ gstat supports only -h and -e
switches. It is not related with protocol but has some relation with
services manager - this utility is one of services. Other services
(gbak, gfix) do work with encrypted databases.
How? There is no callback during service attach, because at that point
the service manager doesn't know which database to use so it can't do
a callback.
Wrong assumption - no need to know which DB to use to do a callback.
Please explain, where is my assumption going wrong?
Encryption keys can be (or IMO should be) database specific, so the
callback will need to have database-specific information. For example,
the configuration I use for KeyHolderPlugin is in the databases.conf,
which means that the database must be known to be able to know which
plugin to select and do the callback to the client.
So, given the database must be known to determine the actual database
encryption plugin, and that database is only passed after service attach
in a service request buffer to a op_service_start, then the callback
cannot be performed during service attach (and my tests show that no
such callback is done during attach). To me, that means that there must
be some other mechanism to be able to do that. What is that mechanism?
Or does no such mechanism exist? I'm rather confused, because your past
two replies seem to contradict each other (gstat through services
doesn't support it(*) which seems to indicate that callback through
services is not supported vs gbak and gfix through services do support it).
In short, how and when do I get a database encryption callback for gbak
or gfix equivalents through the service manager so they work for
encrypted databases?
*: The examples of gstat -h and gstat -e don't need to decrypt the
database, so absence of the callback is not a problem for those calls.
Mark
--
Mark Rotteveel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
