derby encryption

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

derby encryption

Paul Byford
hi,
i intend to deploy derby in embedded form as part of an application. to protect the data i would like to use the disk encryption feature.
 
the issue i have is that for my application to have access to the encrypted database data I must also deploy the bootPassword with the application in among one of my application java classes. i am concerned someone with access to the java classes will have access to the password, and if theydesire they can therefore access the encrypted database.
 
my requirement is that the data is only made available if the bootPassword is provided by my application.
 
is this possible in derby at present? the documentation does not explicitly cover this.
 
thank you
 
paul
Reply | Threaded
Open this post in threaded view
|

Re: derby encryption

Sunitha Kambhampati
Paul Byford wrote:

> hi,
> i intend to deploy derby in embedded form as part of an application.
> to protect the data i would like to use the disk encryption feature.
>  
> the issue i have is that for my application to have access to the
> encrypted database data I must also deploy the bootPassword with the
> application in among one of my application java classes.

Maybe I am not understanding this correctly, but is it possible to not
store the bootPassword in your app java classes but let the application
provide it at runtime. and use it when connecting to database ?

> i am concerned someone with access to the java classes will have
> access to the password, and if theydesire they can therefore access
> the encrypted database.
>  
> my requirement is that the data is only made available if the
> bootPassword is provided by my application.
>   <>is this possible in derby at present? the documentation does not
> explicitly cover this.

 Derby supports data encryption.

so once you have created an encrypted database, you must supply the boot
password to reboot it. Once the database is booted, all connections can
access the database without the boot password. Only a connection that
boots the database requires the key.  Also note - The boot password is
not meant to prevent unauthorized connections to the database once it
has been booted. To protect a database once it has been booted, turn on
user authentication

This link to the manual gives some details on encrypting data using
Derby  
http://incubator.apache.org/derby/manuals/develop/develop115.html#Working+with+Encryption

Also on the Derby website ( papers tab), there is a presentation by Dan
Debrunner about securing data with derby that might be helpful -  
http://incubator.apache.org/derby/binaries/djd_derby_security.pdf

Please feel free to post to the list if you have more questions.

Sunitha.
Reply | Threaded
Open this post in threaded view
|

Re: derby encryption

mikem_app
In reply to this post by Paul Byford
I don't totally understand your requirement.

Your application can be built to require the user to provide some
sort of authentication which can then be used to boot the database.
Straight forward would be to require the client to provide the boot
password, and then have the java classes dynamically build the
connection url to pass the boot password.  Any number of schemes could
be used to somehow encrypt the
boot password based on whatever authentication scheme your application
is using.

Sorry if this is not what you are looking for, I am likely missing
something obvious here.

Paul Byford wrote:

> hi,
> i intend to deploy derby in embedded form as part of an application. to
> protect the data i would like to use the disk encryption feature.
>  
> the issue i have is that for my application to have access to the
> encrypted database data I must also deploy the bootPassword with the
> application in among one of my application java classes. i am concerned
> someone with access to the java classes will have access to the
> password, and if theydesire they can therefore access the encrypted
> database.
>  
> my requirement is that the data is only made available if the
> bootPassword is provided by my application.
>  
> is this possible in derby at present? the documentation does not
> explicitly cover this.
>  
> thank you
>  
> paul