On 04/26/18 15:09, Mark Rotteveel wrote:
On 26-4-2018 13:45, Alex Peshkoff via Firebird-devel wrote:
On 04/26/18 14:11, Mark Rotteveel wrote:
On 26-4-2018 12:28, Alex Peshkoff via Firebird-devel wrote:
You understood me wrong - database encryption callback is supported
in services connections. _UTILITY_ gstat supports only -h and -e
switches. It is not related with protocol but has some relation
with services manager - this utility is one of services. Other
services (gbak, gfix) do work with encrypted databases.
How? There is no callback during service attach, because at that
point the service manager doesn't know which database to use so it
can't do a callback.
Wrong assumption - no need to know which DB to use to do a callback.
Please explain, where is my assumption going wrong?
Encryption keys can be (or IMO should be) database specific
yes
, so the callback will need to have database-specific information
not necessarily
information what database client is going to work may be know to that
client
For example, the configuration I use for KeyHolderPlugin is in the
databases.conf, which means that the database must be known to be able
to know which plugin to select and do the callback to the client.
Yes here is a restriction. For services to work KeyHolderPlugin should
be given in firebird.conf.
Also there is isc_spb_expected_db parameter in SPB-attach. It may be
used to load particular entry from databases.conf but I musy check is it
done currently or not.
So, given the database must be known to determine the actual database
encryption plugin, and that database is only passed after service
attach in a service request buffer to a op_service_start, then the
callback cannot be performed during service attach (and my tests show
that no such callback is done during attach).
What tests? I have (for debugging purporses) modified fbsvcmgr and it
does pass a key to the server.
To me, that means that there must be some other mechanism to be able
to do that. What is that mechanism?
Callback almost same as done for database attach, nothing more.
Or does no such mechanism exist? I'm rather confused, because your
past two replies seem to contradict each other (gstat through services
doesn't support it(*) which seems to indicate that callback through
services is not supported vs gbak and gfix through services do support
it).
Mark, why "gstat _through services_ doesn't support it"? Gstat does not
support it _at all_! No matter using services or not. I can't explain
better...
In short, how and when do I get a database encryption callback for
gbak or gfix equivalents through the service manager so they work for
encrypted databases?
*: The examples of gstat -h and gstat -e don't need to decrypt the
database, so absence of the callback is not a problem for those calls.
Forget about gstat, try with gbak service....
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
