tags:

views:

32

answers:

2
+2  Q: 

database encryption questions

We are using Sybase SQL Anywhere 11. We need to encrypt some of our tables in our database. I followed the instruction and did it. We selected the "strong" option with encryptionKey and AES256_FIPS algorithm. But there are something I am not clear about them.

  1. It will require encryptonKey when we create the database, remove the database and start the database server but it will NOT require encryptionKey when we stop the database server and connect to the server to create tables and add data. Why there is NO encryptionKey asked when we connect to it or try to stop the server? I am doing something wrong?

  2. don't know how to test the encryption? I still can see all plain text in the encrypted tables when I use Sybase Central tool. If somebody knows the database user name and password, he/she can connect to the database and read the content without the encryptionKey. is this right?

+1  A: 

I can't speak specifically to Sybase's system, but database encryption in general is designed to encrypt at the file system level to prevent backdoor access to the database's data (i.e. reading the binary file and parsing it yourself rather than going through the RDBMS), not to prevent access or obfuscate data through the standard database interface (it's expected that you'll use your RDBMS's security mechanisms to do this).

Adam Robinson  2010-06-09 15:48:36
A: 

Most likely the SQL Anywhere tool captures the encryption key when you first enter it (i.e. at server startup) and then stores it in memory to decrypt for other operations. As @Adam Robinson said, the data needs to be encrypted in the filesystem or there's a back door by taking the "analog solution" and just parsing the raw file, which is a nice segue to your second question...

If you want to test the encryption, try locating and opening the file outside of the Sybase tools and see if you can spot any identifiable data. I would start with a simple text search for a string (create a cell with a unique string you can search for) and make sure its not there in the encrypted file. To verify, you could also parse a non-encrypted version of the database and make sure that you can find the string there.

Greg Harman  2010-06-09 15:55:43

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL