Go Back
1 Vote

ISAM Encryption


Much like the SQL CE databases that we use for certain offline storage of data, I think it would be ideal if an individual ISAM file could be encrypted in a similar fashion.   SQL CE databases can be configured with 256 bit encryption using an applied password as it's key for access.  This provides a simple and elegant method for encrypting the ENTIRE database file.  I would like to see a feature like that in Synergy/DE DBMS where the ISAM file, as a whole, can be encrypted with 256 bit encryption with a password.  Plus have that same support flow through to fconvert, ISLOAD, ISUTL, etc.     I feel that the encryption API in Synergy/DE DBL is an ok step towards securing the data, but it requires such a large commitment of time and resources to implement, even when isolating only PII field information.  Where if we were able to encrypting the entire ISAM file with modifying minimal code to access the data and not have to worry about expanding the ISAM file records or anything to do with the internal data itself, I think that would go a long way to providing a more comprehensive and simple solution to DBL developers.   Keeping it simple is always my preference, and the method the SQL CE employs for encrypting the SDF database files seems like a simple and elegant solution.
 

2 Comments | Posted by Thomas Scaff to Synergy DBL, Synergy DBMS, xfServer, xfServerPlus on 5/30/2019, 1:19 PM
Kish Baley
Have you considered xfServer encryption? The Installation Configuration Guide contains the following:

Set the network encryption flag on specific files. You can do this with the
NETWORK_ENCRYPT option to the ISAMC routine or with the -qfile=network_encrypt
option to the patch command (-p) in the isutl utility.

The advantage to using the network encryption flag is that it ensures that any client that
accesses that file must use encryption. If you have a file with sensitive data, it is more efficient,
as well as more secure, to set the network encryption flag, than have to add the /encrypt option
to every OPEN statement that opens the file.

6/3/2019, 12:58 PM   0  
Thomas Scaff
Thanks for the comment.   We currently do not route I/O through xfServer.  All I/O is direct file I/O via routines written for xfServerPlus.   We chose that route due to performance.  But what I here you saying is if we DID route our I/O through xfServer, and with the NETWORK_ENCRYPT option turned on, you are saying that encryption would be automatic?  Not sure I understand the "must use encryption" statement. We want the on disk data to be encrypted and still be accessible via all other standard applications, report programs, etc.I am assuming that ALL programs would have to route through xfServer for the data to be encrypted and decrypted, correct?  Are we still required to expand the ISAM files to accommodate the on disk encrypted data?  Based on the documentation, I am not seeing exactly how this works and what challenges we would have with the encrypted data in the ISAM files themselves.

Documentation states "The xfServer encryption feature enables you to encrypt the transfer of sensitive data across a network. xfServer interfaces with a third-party library, OpenSSL, to provide SSL support for secure data transport between client and server."...this does not sound like on disk encrypted data storage to me, it sounds like transmission encryption.

6/6/2019, 10:35 PM   0  
Please log in to comment on this idea.