Hi Eric, > I would expect a way to encrypt some critical data at database level > (password, accounting information, salaries). > I am not sure here but I have the feeling that encryption/decryption > though should only be possible through a certificate/key at > browser/client level to protect the key from the administrator.
I was playing with this a while ago, you can find my code here: https://code.launchpad.net/~hbrunn/+junk/encrypted_fields This works with 6.1, but it should be quite simple to port to 7.0. Another addon on my list of addons that just need some polishing to be published when time permits. If anybody else is willing to do that, please! What does it do? Users are assigned a private/public RSA keypair. When you set up encryption for a (by now text-)field, a symmetric AES key is created whose passphrase is encrypted with the public keys of all users who are supposed to be able to read and write the field. That's roughly what GPG does for mails with multiple recipients. Caveats: - only one group of users can have the keys for one field - new users can't view the field even if being member of the right group. A member of that group will have to approve access (= decrypting the passphrase with the old members private key, encrypt it with the new member's public key, write it in the list of encrypted keys) - this approach doesn't really work for char or int fields, there some kind of XORing with an encrypted random string should be used I guess. - no searching through encrypted fields Decryption is done on the server side. In my POV, doing it on the client side doesn't really add securitywise, as you still have to trust the code you run. Nobody is going to check if the admin didn't fiddle with the js code to have the passphrases logged or anything like that. Or is there a way of letting the browser do that where the JS code never sees the keys involved? I'm very interested in the community's comments about this, up to now i thought I was nearly alone with thinking it would be a good thing to have that. Regards, Holger -- Therp - Maatwerk in open ontwikkeling Holger Brunn - Ontwerp en implementatie mail: hol...@therp.nl web: http://therp.nl
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Mailing list: https://launchpad.net/~openerp-community Post to : openerp-community@lists.launchpad.net Unsubscribe : https://launchpad.net/~openerp-community More help : https://help.launchpad.net/ListHelp