Difference between revisions of "Securing Your Data"

From Recital Documentation Wiki
Jump to: navigation, search
(DES3 Encrypting Your Data)
(DES3 Encrypting Your Data)
Line 3: Line 3:
 
===Controlling Access to Data===
 
===Controlling Access to Data===
 
===DES3 Encrypting Your Data===
 
===DES3 Encrypting Your Data===
 +
Recital gives you the ability to encrypt the data held in Recital tables.  Once a table has been encrypted, the data cannot be accessed unless the correct three-part encryption key is specified, providing additional security for sensitive data.
  
 +
* [[ENCRYPT|encrypt]]
  
 +
<pre>
 +
encrypt <tablename as character> | <skeleton as character> key <key as character>
 +
</pre>
  
 
+
The ''encrypt'' command is used to encrypt the data in the specified table or tables matching a skeleton. If the skeleton syntax is used, then all matching tables will be given the same encryption key. The encryption key is a three part comma-separated key and may optionally be enclosed in angled brackets. Each part of the key can be a maximum of 8 characters. The key is DES3 encrypted and stored in a ''.dkf'' file with the same basename as the table. After encryption, the three parts of the key must be specified correctly before the table can be accessed.  
the ability to encrypt the data held in
+
Recital database tables.  Once a database table has been encrypted,
+
the data cannot be accessed unless the correct three-part encryption
+
key is specified, providing additional security for sensitive data.
+
 
+
* [[ENCRYPT|encrypt]]
+
The ENCRYPT command is used to encrypt the data  
+
in the specified table or tables matching a skeleton. If the skeleton  
+
syntax is used, then all matching tables will be given the same  
+
encryption key. The encryption key is a three part comma-separated  
+
key and may optionally be enclosed in angled brackets. Each part  
+
of the key can be a maximum of 8 characters. The key is DES3 encrypted  
+
and stored in a .dkf file with the same basename as the table. After  
+
encryption, the three parts of the key must be specified correctly  
+
before the table can be accessed.  
+
  
 
<code lang="recital">
 
<code lang="recital">
Line 33: Line 23:
  
 
* [[SET ENCRYPTION|set encryption]]
 
* [[SET ENCRYPTION|set encryption]]
If a database table is encrypted, the correct three-part encryption
 
key must be specified before the table's data or structure can be
 
accessed.  The SET ENCRYPTION TO set command can be used to specify
 
a default encryption key to be used whenever an encrypted table
 
is accessed without the key being specified. The encryption key
 
is a three part comma-separated key.
 
  
If the command to access the table includes the key, either by  
+
<pre>
appending it to the table filename specification or using an explicit  
+
set encryption to [<key as character>]
clause, this will take precedence over the key defined by SET ENCRYPTION
+
set encryption on | off
TO.
+
</pre>
Issuing SET ENCRYPTION TO without a key causes any previous setting  
+
 
to be cleared. The key must then be specified for each individual  
+
If a database table is encrypted, the correct three-part encryption key must be specified before the table's data or structure can be accessed.  The ''set encryption to'' set command can be used to specify a default encryption key to be used whenever an encrypted table is accessed without the key being specified. The encryption key is a three part comma-separated key.
encrypted table.
+
 
The default key defined by SET ENCRYPTION is only active when SET
+
If the command to access the table includes the key, either by appending it to the table filename specification or using an explicit clause, this will take precedence over the key defined by ''set encryption to''.
ENCRYPTION is ON. SET ENCRYPTION OFF can be used to temporarily  
+
Issuing ''set encryption to'' without a key causes any previous setting to be cleared. The key must then be specified for each individual encrypted table.
disable the default key. The SET ENCRYPTION ON | OFF setting does  
+
 
not change the default key itself. SET ENCRYPTION is ON by default.
+
The default key defined by ''set encryption to'' is only active when ''set encryption'' is ''on''. ''Set encryption off'' can be used to temporarily disable the default key. The ''set encryption on | off'' setting does not change the default key itself. ''Set encryption'' is ''on'' by default.
  
 
<code lang="recital">
 
<code lang="recital">
 
// Encrypt individual tables
 
// Encrypt individual tables
encrypt customers key "key_1,key_2,key_3";
+
encrypt customers key "key_1,key_2,key_3"
 
encrypt shippers key "key_2,key_3,key_4"
 
encrypt shippers key "key_2,key_3,key_4"
 
// Specify a default encryption key
 
// Specify a default encryption key
 
set encryption to "key_1,key_2,key_3"
 
set encryption to "key_1,key_2,key_3"
 
// Open customers table using the default encryption key
 
// Open customers table using the default encryption key
 
 
use customers
 
use customers
 
// Specify shippers table's encryption key
 
// Specify shippers table's encryption key
Line 71: Line 54:
  
 
* [[DECRYPT|decrypt]]
 
* [[DECRYPT|decrypt]]
The DECRYPT command is used to decrypt the data in the specified  
+
 
table or tables matching a skeleton. The specified key must contain  
+
<pre>
the three part comma-separated key used to previously encrypt the  
+
encrypt <tablename as character> | <skeleton as character> key <key as character>
table and may optionally be enclosed in angled brackets. The skeleton  
+
</pre>
syntax can only be used if all tables matching the skeletonhave
+
 
the same key.
+
The ''decrypt'' command is used to decrypt the data in the specified table or tables matching a skeleton. The specified key must contain the three part comma-separated key used to previously encrypt the table and may optionally be enclosed in angled brackets. The skeleton syntax can only be used if all tables matching the skeleton have the same key.
The DECRYPT command decrypts the data and removes the table's .dkf  
+
 
file.  After decryption, the key need no longer be specified to  
+
The ''decrypt'' command decrypts the data and removes the table's '.dkf'' file.  After decryption, the key need no longer be specified to gain access to the table.
gain access to the table.
+
  
 
<code lang="recital">
 
<code lang="recital">
Line 91: Line 73:
  
 
All of the following commands are affected when a table is encrypted:
 
All of the following commands are affected when a table is encrypted:
* [[APPEND FROM|append from]]
 
* [[COPY FILE|copy file]]
 
* [[COPY STRUCTURE|copy structure]]
 
* [[COPY|copy]]
 
* [[DIR|dir]]
 
* [[USE|use]]
 
* [[SQL INSERT|SQL insert]]
 
* [[SQL SELECT|SQL select]]
 
* [[SQL UPDATE|SQL update]]
 
  
APPEND FROM
+
* [[APPEND FROM|append from]] - append records to the active table from another table
Used to append records to the active table from another table.
+
  
 
<code lang="recital">
 
<code lang="recital">
Line 111: Line 83:
 
</code>
 
</code>
  
COPY FILE
+
* [[COPY FILE|copy file]] - copy a file
Used to copy a file.
+
  
 
<code lang="recital">
 
<code lang="recital">
Line 123: Line 94:
 
</code>
 
</code>
  
COPY STRUCTURE
+
* [[COPY STRUCTURE|copy structure]] - copy a table's structure to a new table
Used to copy a table's structure to a new table.
+
  
 
<code lang="recital">
 
<code lang="recital">
Line 135: Line 105:
 
</code>
 
</code>
  
COPY
+
* [[COPY|copy]] - copy a table
Used to copy a table.
+
  
 
<code lang="recital">
 
<code lang="recital">
Line 166: Line 135:
 
</code>
 
</code>
  
DIR
+
* [[DIR|dir]] - display a directory listing of tables
Used to display a directory listing of tables.
+
  
 
<code lang="recital">
 
<code lang="recital">
Line 194: Line 162:
 
</pre>
 
</pre>
  
USE
+
* [[USE|use]] - open a table
Used to open a table.
+
  
 
<code lang="recital">
 
<code lang="recital">
Line 210: Line 177:
 
</code>
 
</code>
  
SQL INSERT
+
* [[SQL INSERT|SQL insert]] - add a row to a table
Used to add a row to a table via SQL.
+
  
 
<code lang="recital">
 
<code lang="recital">
Line 237: Line 203:
 
</code>
 
</code>
  
SQL SELECT
+
* [[SQL SELECT|SQL select]] - return data from a table or tables
Used to return data from a table via SQL.
+
  
 
<code lang="recital">
 
<code lang="recital">
Line 256: Line 221:
 
   SELECT * FROM customers<key_1,key_2,key_3>;
 
   SELECT * FROM customers<key_1,key_2,key_3>;
  
SQL UPDATE
+
* [[SQL UPDATE|SQL update]] - update data in a table
Used to update data in a table via SQL.
+
  
 
<code lang="recital">
 
<code lang="recital">

Revision as of 15:13, 25 January 2010

Securing Your Data

Protecting Data with Constraints

Controlling Access to Data

DES3 Encrypting Your Data

Recital gives you the ability to encrypt the data held in Recital tables. Once a table has been encrypted, the data cannot be accessed unless the correct three-part encryption key is specified, providing additional security for sensitive data.

encrypt <tablename as character> | <skeleton as character> key <key as character>

The encrypt command is used to encrypt the data in the specified table or tables matching a skeleton. If the skeleton syntax is used, then all matching tables will be given the same encryption key. The encryption key is a three part comma-separated key and may optionally be enclosed in angled brackets. Each part of the key can be a maximum of 8 characters. The key is DES3 encrypted and stored in a .dkf file with the same basename as the table. After encryption, the three parts of the key must be specified correctly before the table can be accessed.

// Encrypt individual tables
encrypt customers key "key_1,key_2,key_3"
encrypt employees key "<key_1,key_2,key_3>"
 
// Encrypt all .dbf files in the directory
encrypt *.dbf key "key_1,key_2,key_3"
set encryption to [<key as character>]
set encryption on | off

If a database table is encrypted, the correct three-part encryption key must be specified before the table's data or structure can be accessed. The set encryption to set command can be used to specify a default encryption key to be used whenever an encrypted table is accessed without the key being specified. The encryption key is a three part comma-separated key.

If the command to access the table includes the key, either by appending it to the table filename specification or using an explicit clause, this will take precedence over the key defined by set encryption to. Issuing set encryption to without a key causes any previous setting to be cleared. The key must then be specified for each individual encrypted table.

The default key defined by set encryption to is only active when set encryption is on. Set encryption off can be used to temporarily disable the default key. The set encryption on | off setting does not change the default key itself. Set encryption is on by default.

// Encrypt individual tables
encrypt customers key "key_1,key_2,key_3"
encrypt shippers key "key_2,key_3,key_4"
// Specify a default encryption key
set encryption to "key_1,key_2,key_3"
// Open customers table using the default encryption key
use customers
// Specify shippers table's encryption key
use shippers<key_2,key_3,key_4>
// Disable the default encryption key
set encryption to
// Specify the individual encryption keys
use customers encryption "key_1,key_2,key_3"
use shippers<key_2,key_3,key_4>
encrypt <tablename as character> | <skeleton as character> key <key as character>

The decrypt command is used to decrypt the data in the specified table or tables matching a skeleton. The specified key must contain the three part comma-separated key used to previously encrypt the table and may optionally be enclosed in angled brackets. The skeleton syntax can only be used if all tables matching the skeleton have the same key.

The decrypt command decrypts the data and removes the table's '.dkf file. After decryption, the key need no longer be specified to gain access to the table.

// Decrypt individual tables
decrypt customers key "key_1,key_2,key_3"
decrypt employees key "<key_1,key_2,key_3>"
 
// Decrypt all .dbf files in the directory
decrypt *.dbf key "key_1,key_2,key_3"

All of the following commands are affected when a table is encrypted:

  • append from - append records to the active table from another table
// The key must be specified for an encrypted source table
use mycustomers
append from customers encryption "key_1,key_2,key_3";
for country = "UK"
// The key file must also be copied for an encrypted source table
// as the target table will be encrypted
encrypt customers key "key_1,key_2,key_3"
copy file customers.dbf to newcustomers.dbf
copy file customers.dkf to newcustomers.dkf
use newcustomers encryption "key_1,key_2,key_3"
// The key file is automatically copied for an encrypted source table
// and the target table encrypted
encrypt customers key "key_1,key_2,key_3"
use customers encryption "key_1,key_2,key_3"
copy structure to blankcust
use blankcust encryption "key_1,key_2,key_3"
  • copy - copy a table
// By default, the key file is automatically copied for an encrypted
// source table and the target table encrypted with the same key
encrypt customers key "key_1,key_2,key_3"
 
use customers encryption "key_1,key_2,key_3"
copy to newcustomers
use newcustomers encryption "key_1,key_2,key_3"
 
// You can also create a copy with a different key
encrypt customers key "key_1,key_2,key_3"
use customers encryption "key_1,key_2,key_3"
copy to newcustomers encrypt "newkey_1,newkey_2,newkey_3"
 
use newcustomers encryption "newkey_1,newkey_2,newkey_3"
 
// Or create a decrypted copy
encrypt customers key "key_1,key_2,key_3";
use customers encryption "key_1,key_2,key_3"
copy to newcustomers decrypt
use newcustomers
 
// You can also create an encrypted copy of a non-encrypted source table
use orders
copy to encorders encrypt "newkey_1,newkey_2,newkey_3"
use encorders encryption "newkey_1,newkey_2,newkey_3"
  • dir - display a directory listing of tables
// Encrypted tables are flagged as such with (DES3)
open database southwind
dir
Current database: southwind
Tables            # Records    Last Update   Size  Dictionary Triggers Security
categories.dbf            8    01/10/06     24576  None       None     None
cisamdemo.dbf       ---> CISAM/Bridge        [cisamdemo]
customers.dbf (DES3)     91    05/12/04     49600  None       None     None
employees.dbf             9    05/12/04     25520  None       None     None
example.dbf   (DES3)    100    12/24/05     38080  Yes        Yes      None
order_details.dbf      2155    05/12/04    296320  None       None     None
orders.dbf              829    05/12/04    232704  None       None     None
products.dbf             77    05/12/04     37112  None       None     None
productsbyname.dbf       77    05/12/04     29104  None       None     None
shippers.dbf  (DES3)      3    05/12/04     20864  None       None     None
suppliers.dbf            29    12/08/05     29992  Yes        None     None

   0.765 MB in 11 files.
   1.093 GB remaining on drive.
  • use - open a table
// The three part key must be specified to open an
// encrypted table.  All of the following are valid.
// 1. Specifying a default encryption key before opening the table
set encryption to "key_1,key_2,key_3"
use customers
// 2. Appending the key to the filename
use customers<key_1,key_2,key_3>
// 3. Using the ENCRYPTION clause, optionally specifying angled brackets
use customers encryption "key_1,key_2,key_3"
use customers encryption "<key_1,key_2,key_3>"
// The three part key can be specified using a
// default encryption key before opening the table
exec sql
  OPEN DATABASE southwind;
exec sql
  SET ENCRYPTION TO "key_1,key_2,key_3"
exec sql
  INSERT INTO customers
  (customerid, companyname)
  VALUES
  ('RECIT','Recital Corporation');
 
// Or by appending the key to the filename
 
exec sql
  OPEN DATABASE southwind;
exec sql
  INSERT INTO customers<key_1,key_2,key_3>
  (customerid, companyname)
  VALUES
  ('RECIT','Recital Corporation');
// The three part key can be specified using a
// default encryption key before opening the table
exec sql
  OPEN DATABASE southwind;
exec sql
  SET ENCRYPTION TO "key_1,key_2,key_3";
exec sql
  SELECT * FROM customers;
// Or by appending the key to the filename
 
exec sql
  OPEN DATABASE southwind;
exec sql
  SELECT * FROM customers<key_1,key_2,key_3>;

* [[SQL UPDATE|SQL update]] - update data in a table
 
<code lang="recital">
// The three part key can be specified using a
// default encryption key before opening the table
exec sql
  OPEN DATABASE southwind;
exec sql
  SET ENCRYPTION TO "key_1,key_2,key_3";
exec sql
  UPDATE customers
  SET companyname='Recital Corporation Inc.'
  WHERE customerid='RECIT';
// Or by appending the key to the filename
exec sql
  OPEN DATABASE southwind;
exec sql
  UPDATE customers<key_1,key_2,key_3>
 
  SET companyname='Recital Corporation Inc.'
  WHERE customerid='RECIT
* [[SQL UPDATE|SQL update]] - update data in a table
 
<code lang="recital">
// The three part key can be specified using a
// default encryption key before opening the table
exec sql
  OPEN DATABASE southwind;
exec sql
  SET ENCRYPTION TO "key_1,key_2,key_3";
exec sql
  UPDATE customers
  SET companyname='Recital Corporation Inc.'
  WHERE customerid='RECIT';
// Or by appending the key to the filename
exec sql
  OPEN DATABASE southwind;
exec sql
  UPDATE customers<key_1,key_2,key_3>
 
  SET companyname='Recital Corporation Inc.'
  WHERE customerid='RECIT';