On Thu, 21 Apr 2005, Winterlight wrote:
Anybody who has physical access to the computer has access to the key. How to I compile and encrypt this so it can not be de-compiled and hacked?
That is the kicker. Physical access. The only way to be absolutely sure that no one will have a copy of your key is to not keep a copy of it anywhere. You can encrypt the key all you want, if the decryption key is anywhere on the computer, you can't be sure that no one can read it.
You are wondering why I don't just copy the blowfish image files as a backup. Because In order to access them, after the computer burned up in fire, or was stolen, or whatever, I would have to install the encryption program in another computer, and mount the drives, and then cross my fingers that there are no glitches or anomalies.
As with *ANY* backup procedure, during the implementation phase there should be a full restore function run. make sure you backup is working, and you know how to work it. Try just what you said, copy that encrypted image file to another machine and see if you can get it to read.
A zip file is a universal compression format, and Winzip has been around forever, and works on any version of windows. All I have to do is protect the key with the rest of my keys, and passwords, and restore the zip file on any windows box. I like to keep my backups simple, as well as secure. I have had too many failures, over the years with 3rd party backup programs. Unless you are testing them all the time you can never be sure that they will work the day you need them.
Security is a difficult thing to get right, and at some point you need to make concessions to ease of use. If you want to be absolutely sure no one can get the key, you need to remove the key from the system, which means during each bootup or when accessing the files you need to put the key in. Not very seamless. The other extreme is having the key in a batch file.
As for what you can do to encrypt the batch file, I'm not sure. For php code there is a program called phpscrew. Maybe something similar is what you are looking for?
so any thoughts on how I can protect the key in this batch file?
If you find a 100% secure method you will be way ahead of the game. DRM implemented at the hardware level? =)
Christopher Fisk -- BOFH Excuse #120: we just switched to FDDI.
