Difference between revisions of "Securing Your Data"
Yvonnemilne (Talk | contribs) (→DES3 Encrypting Your Data) |
Yvonnemilne (Talk | contribs) (→DES3 Encrypting Your Data) |
||
Line 3: | Line 3: | ||
===Controlling Access to Data=== | ===Controlling Access to Data=== | ||
===DES3 Encrypting Your Data=== | ===DES3 Encrypting Your Data=== | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | the ability to encrypt the data held in | ||
+ | Recital database tables. Once a database table has been encrypted, | ||
+ | the data cannot be accessed unless the correct three-part encryption | ||
+ | key is specified, providing additional security for sensitive data. | ||
+ | |||
* [[ENCRYPT|encrypt]] | * [[ENCRYPT|encrypt]] | ||
− | * | + | The ENCRYPT command is used to encrypt the data |
+ | in the specified table or tables matching a skeleton. If the skeleton | ||
+ | syntax is used, then all matching tables will be given the same | ||
+ | encryption key. The encryption key is a three part comma-separated | ||
+ | key and may optionally be enclosed in angled brackets. Each part | ||
+ | of the key can be a maximum of 8 characters. The key is DES3 encrypted | ||
+ | and stored in a .dkf file with the same basename as the table. After | ||
+ | encryption, the three parts of the key must be specified correctly | ||
+ | before the table can be accessed. | ||
+ | |||
+ | <code lang="recital"> | ||
+ | // Encrypt individual tables | ||
+ | encrypt customers key "key_1,key_2,key_3" | ||
+ | encrypt employees key "<key_1,key_2,key_3>" | ||
+ | |||
+ | // Encrypt all .dbf files in the directory | ||
+ | encrypt *.dbf key "key_1,key_2,key_3" | ||
+ | </code> | ||
+ | |||
* [[SET ENCRYPTION|set encryption]] | * [[SET ENCRYPTION|set encryption]] | ||
+ | If a database table is encrypted, the correct three-part encryption | ||
+ | key must be specified before the table's data or structure can be | ||
+ | accessed. The SET ENCRYPTION TO set command can be used to specify | ||
+ | a default encryption key to be used whenever an encrypted table | ||
+ | is accessed without the key being specified. The encryption key | ||
+ | is a three part comma-separated key. | ||
+ | |||
+ | If the command to access the table includes the key, either by | ||
+ | appending it to the table filename specification or using an explicit | ||
+ | clause, this will take precedence over the key defined by SET ENCRYPTION | ||
+ | TO. | ||
+ | Issuing SET ENCRYPTION TO without a key causes any previous setting | ||
+ | to be cleared. The key must then be specified for each individual | ||
+ | encrypted table. | ||
+ | The default key defined by SET ENCRYPTION is only active when SET | ||
+ | ENCRYPTION is ON. SET ENCRYPTION OFF can be used to temporarily | ||
+ | disable the default key. The SET ENCRYPTION ON | OFF setting does | ||
+ | not change the default key itself. SET ENCRYPTION is ON by default. | ||
+ | |||
+ | <code lang="recital"> | ||
+ | // Encrypt individual tables | ||
+ | encrypt customers key "key_1,key_2,key_3"; | ||
+ | encrypt shippers key "key_2,key_3,key_4" | ||
+ | // Specify a default encryption key | ||
+ | set encryption to "key_1,key_2,key_3" | ||
+ | // Open customers table using the default encryption key | ||
+ | |||
+ | use customers | ||
+ | // Specify shippers table's encryption key | ||
+ | use shippers<key_2,key_3,key_4> | ||
+ | // Disable the default encryption key | ||
+ | set encryption to | ||
+ | // Specify the individual encryption keys | ||
+ | use customers encryption "key_1,key_2,key_3" | ||
+ | use shippers<key_2,key_3,key_4> | ||
+ | </code> | ||
+ | |||
+ | * [[DECRYPT|decrypt]] | ||
+ | The DECRYPT command is used to decrypt the data in the specified | ||
+ | table or tables matching a skeleton. The specified key must contain | ||
+ | the three part comma-separated key used to previously encrypt the | ||
+ | table and may optionally be enclosed in angled brackets. The skeleton | ||
+ | syntax can only be used if all tables matching the skeletonhave | ||
+ | the same key. | ||
+ | The DECRYPT command decrypts the data and removes the table's .dkf | ||
+ | file. After decryption, the key need no longer be specified to | ||
+ | gain access to the table. | ||
+ | |||
+ | <code lang="recital"> | ||
+ | // Decrypt individual tables | ||
+ | decrypt customers key "key_1,key_2,key_3" | ||
+ | decrypt employees key "<key_1,key_2,key_3>" | ||
+ | |||
+ | // Decrypt all .dbf files in the directory | ||
+ | decrypt *.dbf key "key_1,key_2,key_3" | ||
+ | </code> | ||
+ | |||
+ | All of the following commands are affected when a table is encrypted: | ||
+ | * [[APPEND FROM|append from]] | ||
+ | * [[COPY FILE|copy file]] | ||
+ | * [[COPY STRUCTURE|copy structure]] | ||
+ | * [[COPY|copy]] | ||
+ | * [[DIR|dir]] | ||
+ | * [[USE|use]] | ||
+ | * [[SQL INSERT|SQL insert]] | ||
+ | * [[SQL SELECT|SQL select]] | ||
+ | * [[SQL UPDATE|SQL update]] | ||
+ | |||
+ | APPEND FROM | ||
+ | Used to append records to the active table from another table. | ||
+ | |||
+ | <code lang="recital"> | ||
+ | // The key must be specified for an encrypted source table | ||
+ | use mycustomers | ||
+ | append from customers encryption "key_1,key_2,key_3"; | ||
+ | for country = "UK" | ||
+ | </code> | ||
+ | |||
+ | COPY FILE | ||
+ | Used to copy a file. | ||
+ | |||
+ | <code lang="recital"> | ||
+ | // The key file must also be copied for an encrypted source table | ||
+ | // as the target table will be encrypted | ||
+ | encrypt customers key "key_1,key_2,key_3" | ||
+ | copy file customers.dbf to newcustomers.dbf | ||
+ | copy file customers.dkf to newcustomers.dkf | ||
+ | use newcustomers encryption "key_1,key_2,key_3" | ||
+ | </code> | ||
+ | |||
+ | COPY STRUCTURE | ||
+ | Used to copy a table's structure to a new table. | ||
+ | |||
+ | <code lang="recital"> | ||
+ | // The key file is automatically copied for an encrypted source table | ||
+ | // and the target table encrypted | ||
+ | encrypt customers key "key_1,key_2,key_3" | ||
+ | use customers encryption "key_1,key_2,key_3" | ||
+ | copy structure to blankcust | ||
+ | use blankcust encryption "key_1,key_2,key_3" | ||
+ | </code> | ||
+ | |||
+ | COPY | ||
+ | Used to copy a table. | ||
+ | |||
+ | <code lang="recital"> | ||
+ | // By default, the key file is automatically copied for an encrypted | ||
+ | // source table and the target table encrypted with the same key | ||
+ | encrypt customers key "key_1,key_2,key_3" | ||
+ | |||
+ | use customers encryption "key_1,key_2,key_3" | ||
+ | copy to newcustomers | ||
+ | use newcustomers encryption "key_1,key_2,key_3" | ||
+ | |||
+ | // You can also create a copy with a different key | ||
+ | encrypt customers key "key_1,key_2,key_3" | ||
+ | use customers encryption "key_1,key_2,key_3" | ||
+ | copy to newcustomers encrypt "newkey_1,newkey_2,newkey_3" | ||
+ | |||
+ | use newcustomers encryption "newkey_1,newkey_2,newkey_3" | ||
+ | |||
+ | // Or create a decrypted copy | ||
+ | encrypt customers key "key_1,key_2,key_3"; | ||
+ | use customers encryption "key_1,key_2,key_3" | ||
+ | copy to newcustomers decrypt | ||
+ | use newcustomers | ||
+ | |||
+ | // You can also create an encrypted copy of a non-encrypted source table | ||
+ | use orders | ||
+ | copy to encorders encrypt "newkey_1,newkey_2,newkey_3" | ||
+ | use encorders encryption "newkey_1,newkey_2,newkey_3" | ||
+ | </code> | ||
+ | |||
+ | DIR | ||
+ | Used to display a directory listing of tables. | ||
+ | |||
+ | <code lang="recital"> | ||
+ | // Encrypted tables are flagged as such with (DES3) | ||
+ | open database southwind | ||
+ | dir | ||
+ | </code> | ||
+ | |||
+ | <pre> | ||
+ | Current database: southwind | ||
+ | Tables # Records Last Update Size Dictionary Triggers Security | ||
+ | categories.dbf 8 01/10/06 24576 None None None | ||
+ | cisamdemo.dbf ---> CISAM/Bridge [cisamdemo] | ||
+ | customers.dbf (DES3) 91 05/12/04 49600 None None None | ||
+ | employees.dbf 9 05/12/04 25520 None None None | ||
+ | example.dbf (DES3) 100 12/24/05 38080 Yes Yes None | ||
+ | order_details.dbf 2155 05/12/04 296320 None None None | ||
+ | orders.dbf 829 05/12/04 232704 None None None | ||
+ | products.dbf 77 05/12/04 37112 None None None | ||
+ | productsbyname.dbf 77 05/12/04 29104 None None None | ||
+ | shippers.dbf (DES3) 3 05/12/04 20864 None None None | ||
+ | suppliers.dbf 29 12/08/05 29992 Yes None None | ||
+ | |||
+ | 0.765 MB in 11 files. | ||
+ | 1.093 GB remaining on drive. | ||
+ | </pre> | ||
+ | |||
+ | USE | ||
+ | Used to open a table. | ||
+ | |||
+ | <code lang="recital"> | ||
+ | // The three part key must be specified to open an | ||
+ | // encrypted table. All of the following are valid. | ||
+ | // 1. Specifying a default encryption key before opening the table | ||
+ | set encryption to "key_1,key_2,key_3" | ||
+ | use customers | ||
+ | // 2. Appending the key to the filename | ||
+ | use customers<key_1,key_2,key_3> | ||
+ | // 3. Using the ENCRYPTION clause, optionally specifying angled brackets | ||
+ | use customers encryption "key_1,key_2,key_3" | ||
+ | use customers encryption "<key_1,key_2,key_3>" | ||
+ | </code> | ||
+ | |||
+ | SQL INSERT | ||
+ | Used to add a row to a table via SQL. | ||
+ | |||
+ | <code lang="recital"> | ||
+ | // The three part key can be specified using a | ||
+ | // default encryption key before opening the table | ||
+ | exec sql | ||
+ | OPEN DATABASE southwind; | ||
+ | exec sql | ||
+ | SET ENCRYPTION TO "key_1,key_2,key_3" | ||
+ | exec sql | ||
+ | INSERT INTO customers | ||
+ | (customerid, companyname) | ||
+ | VALUES | ||
+ | ('RECIT','Recital Corporation'); | ||
+ | |||
+ | // Or by appending the key to the filename | ||
+ | |||
+ | exec sql | ||
+ | OPEN DATABASE southwind; | ||
+ | exec sql | ||
+ | INSERT INTO customers<key_1,key_2,key_3> | ||
+ | (customerid, companyname) | ||
+ | VALUES | ||
+ | ('RECIT','Recital Corporation'); | ||
+ | </code> | ||
+ | |||
+ | SQL SELECT | ||
+ | Used to return data from a table via SQL. | ||
+ | |||
+ | <code lang="recital"> | ||
+ | // The three part key can be specified using a | ||
+ | // default encryption key before opening the table | ||
+ | exec sql | ||
+ | OPEN DATABASE southwind; | ||
+ | exec sql | ||
+ | SET ENCRYPTION TO "key_1,key_2,key_3"; | ||
+ | exec sql | ||
+ | SELECT * FROM customers; | ||
+ | // Or by appending the key to the filename | ||
+ | |||
+ | exec sql | ||
+ | OPEN DATABASE southwind; | ||
+ | exec sql | ||
+ | SELECT * FROM customers<key_1,key_2,key_3>; | ||
+ | |||
+ | SQL UPDATE | ||
+ | Used to update data in a table via SQL. | ||
+ | |||
+ | <code lang="recital"> | ||
+ | // The three part key can be specified using a | ||
+ | // default encryption key before opening the table | ||
+ | exec sql | ||
+ | OPEN DATABASE southwind; | ||
+ | exec sql | ||
+ | SET ENCRYPTION TO "key_1,key_2,key_3"; | ||
+ | exec sql | ||
+ | UPDATE customers | ||
+ | SET companyname='Recital Corporation Inc.' | ||
+ | WHERE customerid='RECIT'; | ||
+ | // Or by appending the key to the filename | ||
+ | exec sql | ||
+ | OPEN DATABASE southwind; | ||
+ | exec sql | ||
+ | UPDATE customers<key_1,key_2,key_3> | ||
+ | |||
+ | SET companyname='Recital Corporation Inc.' | ||
+ | WHERE customerid='RECIT'; | ||
+ | |||
+ | </code> |
Revision as of 14:38, 25 January 2010
Contents
Securing Your Data
Protecting Data with Constraints
Controlling Access to Data
DES3 Encrypting Your Data
the ability to encrypt the data held in Recital database tables. Once a database table has been encrypted, the data cannot be accessed unless the correct three-part encryption key is specified, providing additional security for sensitive data.
The ENCRYPT command is used to encrypt the data in the specified table or tables matching a skeleton. If the skeleton syntax is used, then all matching tables will be given the same encryption key. The encryption key is a three part comma-separated key and may optionally be enclosed in angled brackets. Each part of the key can be a maximum of 8 characters. The key is DES3 encrypted and stored in a .dkf file with the same basename as the table. After encryption, the three parts of the key must be specified correctly before the table can be accessed.
// Encrypt individual tables encrypt customers key "key_1,key_2,key_3" encrypt employees key "<key_1,key_2,key_3>" // Encrypt all .dbf files in the directory encrypt *.dbf key "key_1,key_2,key_3"
If a database table is encrypted, the correct three-part encryption key must be specified before the table's data or structure can be accessed. The SET ENCRYPTION TO set command can be used to specify a default encryption key to be used whenever an encrypted table is accessed without the key being specified. The encryption key is a three part comma-separated key.
If the command to access the table includes the key, either by appending it to the table filename specification or using an explicit clause, this will take precedence over the key defined by SET ENCRYPTION TO. Issuing SET ENCRYPTION TO without a key causes any previous setting to be cleared. The key must then be specified for each individual encrypted table. The default key defined by SET ENCRYPTION is only active when SET ENCRYPTION is ON. SET ENCRYPTION OFF can be used to temporarily disable the default key. The SET ENCRYPTION ON | OFF setting does not change the default key itself. SET ENCRYPTION is ON by default.
// Encrypt individual tables encrypt customers key "key_1,key_2,key_3"; encrypt shippers key "key_2,key_3,key_4" // Specify a default encryption key set encryption to "key_1,key_2,key_3" // Open customers table using the default encryption key use customers // Specify shippers table's encryption key use shippers<key_2,key_3,key_4> // Disable the default encryption key set encryption to // Specify the individual encryption keys use customers encryption "key_1,key_2,key_3" use shippers<key_2,key_3,key_4>
The DECRYPT command is used to decrypt the data in the specified table or tables matching a skeleton. The specified key must contain the three part comma-separated key used to previously encrypt the table and may optionally be enclosed in angled brackets. The skeleton syntax can only be used if all tables matching the skeletonhave the same key. The DECRYPT command decrypts the data and removes the table's .dkf file. After decryption, the key need no longer be specified to gain access to the table.
// Decrypt individual tables decrypt customers key "key_1,key_2,key_3" decrypt employees key "<key_1,key_2,key_3>" // Decrypt all .dbf files in the directory decrypt *.dbf key "key_1,key_2,key_3"
All of the following commands are affected when a table is encrypted:
APPEND FROM Used to append records to the active table from another table.
// The key must be specified for an encrypted source table use mycustomers append from customers encryption "key_1,key_2,key_3"; for country = "UK"
COPY FILE Used to copy a file.
// The key file must also be copied for an encrypted source table // as the target table will be encrypted encrypt customers key "key_1,key_2,key_3" copy file customers.dbf to newcustomers.dbf copy file customers.dkf to newcustomers.dkf use newcustomers encryption "key_1,key_2,key_3"
COPY STRUCTURE Used to copy a table's structure to a new table.
// The key file is automatically copied for an encrypted source table // and the target table encrypted encrypt customers key "key_1,key_2,key_3" use customers encryption "key_1,key_2,key_3" copy structure to blankcust use blankcust encryption "key_1,key_2,key_3"
COPY Used to copy a table.
// By default, the key file is automatically copied for an encrypted // source table and the target table encrypted with the same key encrypt customers key "key_1,key_2,key_3" use customers encryption "key_1,key_2,key_3" copy to newcustomers use newcustomers encryption "key_1,key_2,key_3" // You can also create a copy with a different key encrypt customers key "key_1,key_2,key_3" use customers encryption "key_1,key_2,key_3" copy to newcustomers encrypt "newkey_1,newkey_2,newkey_3" use newcustomers encryption "newkey_1,newkey_2,newkey_3" // Or create a decrypted copy encrypt customers key "key_1,key_2,key_3"; use customers encryption "key_1,key_2,key_3" copy to newcustomers decrypt use newcustomers // You can also create an encrypted copy of a non-encrypted source table use orders copy to encorders encrypt "newkey_1,newkey_2,newkey_3" use encorders encryption "newkey_1,newkey_2,newkey_3"
DIR Used to display a directory listing of tables.
// Encrypted tables are flagged as such with (DES3) open database southwind dir
Current database: southwind Tables # Records Last Update Size Dictionary Triggers Security categories.dbf 8 01/10/06 24576 None None None cisamdemo.dbf ---> CISAM/Bridge [cisamdemo] customers.dbf (DES3) 91 05/12/04 49600 None None None employees.dbf 9 05/12/04 25520 None None None example.dbf (DES3) 100 12/24/05 38080 Yes Yes None order_details.dbf 2155 05/12/04 296320 None None None orders.dbf 829 05/12/04 232704 None None None products.dbf 77 05/12/04 37112 None None None productsbyname.dbf 77 05/12/04 29104 None None None shippers.dbf (DES3) 3 05/12/04 20864 None None None suppliers.dbf 29 12/08/05 29992 Yes None None 0.765 MB in 11 files. 1.093 GB remaining on drive.
USE Used to open a table.
// The three part key must be specified to open an // encrypted table. All of the following are valid. // 1. Specifying a default encryption key before opening the table set encryption to "key_1,key_2,key_3" use customers // 2. Appending the key to the filename use customers<key_1,key_2,key_3> // 3. Using the ENCRYPTION clause, optionally specifying angled brackets use customers encryption "key_1,key_2,key_3" use customers encryption "<key_1,key_2,key_3>"
SQL INSERT Used to add a row to a table via SQL.
// The three part key can be specified using a // default encryption key before opening the table exec sql OPEN DATABASE southwind; exec sql SET ENCRYPTION TO "key_1,key_2,key_3" exec sql INSERT INTO customers (customerid, companyname) VALUES ('RECIT','Recital Corporation'); // Or by appending the key to the filename exec sql OPEN DATABASE southwind; exec sql INSERT INTO customers<key_1,key_2,key_3> (customerid, companyname) VALUES ('RECIT','Recital Corporation');
SQL SELECT Used to return data from a table via SQL.
// The three part key can be specified using a // default encryption key before opening the table exec sql OPEN DATABASE southwind; exec sql SET ENCRYPTION TO "key_1,key_2,key_3"; exec sql SELECT * FROM customers; // Or by appending the key to the filename exec sql OPEN DATABASE southwind; exec sql SELECT * FROM customers<key_1,key_2,key_3>; SQL UPDATE Used to update data in a table via SQL. <code lang="recital"> // The three part key can be specified using a // default encryption key before opening the table exec sql OPEN DATABASE southwind; exec sql SET ENCRYPTION TO "key_1,key_2,key_3"; exec sql UPDATE customers SET companyname='Recital Corporation Inc.' WHERE customerid='RECIT'; // Or by appending the key to the filename exec sql OPEN DATABASE southwind; exec sql UPDATE customers<key_1,key_2,key_3> SET companyname='Recital Corporation Inc.' WHERE customerid='RECIT';