Hi Doug There's a few things to bear in mind - up front is to remember that encryption means that. So make sure you back up your encryption key repository every time you make a change to the encryption keys and permissions used. Also remember that if you back up encrypted data for the future, then make sure you take a backup of the key repository at the same time, and keep a note of your MASTER KEY as then set in case you need it later.
And of course - everyone WILL change the MASTER KEY from the default on installation - won't you? And KEEP A RECORD IN TWO SAFES (one onsite, one offsite). __________________ With that said you have a choice: BASIC or ADVANCED. BASIC mode is just my name for deploying Data Encryption in a specific way, where you don't have to change *any* application code. And BASICally (ahem) you create the encryption keys you use without passwords and grant use to PUBLIC. In this way, any user accessing an application automatically has their keys (and the resulting encryption & decryption of data) activated without you needing to change anything at all. What does this protect? - well the data on the media (disk or tape) is protected in case the media goes offsite. __________________ Then there's what I would call ADVANCED, This is really all the bells and whistles of Data Encryption including (specifically) assigning specific passwords to keys and assigning use of specific keys to named users. If you do this then something, somewhere needs to positively activate keys which have passwords on a per-user per-session basis. You can either ask a user to enter the keys at TCL, prompt for the keys and / or passwords in a program and activate them, or "package" all key activation inside an application behind a separate application level "user login". Of course, someone may get a key activation incorrect (wrong password), or a file may be newly encrypted and an individual user may not have access granted, or may not activate the right keys. If you use the ADVANCED mode then you need to modify application code to activate keys with the right passwords, and deal with the consequences (elegantly hopefully) if a key is not activated correctly. __________________ Hope this helps - there's a lot going on with Data Encryption and there are more enhancements in the pipeline (watch this space). There is middle ground between BASIC and ENHANCED, and you can run some accounts in BASIC and others in ADVANCED. The bottom line though is that if you deploy in BASIC mode across the whole system you don't have to change any application code. If you tighten up the security to ADVANCED mode then you will almost certainly have to make application code changes. Regards JayJay -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug Chanco Sent: 20 March 2008 19:28 To: [email protected] Subject: [U2] universe data encryption Hey, We are just starting to look at using universe's data encryption and I was wondering if any had any experiences, gotchas , etc .... That they would be willing to share? How good/bad was it (for you) and in what ways are you implementing this? Also any one using it for PCI compliancy? Thanks all! dougc ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/
