Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 9 of 9 total
Thread Encryption types
Sun, Mar 11 2018 7:45 PMPermanent Link

Graham Mylne

Hi

I was just wondering what the differences in the encryption processes are. There is RemoteEncryption and then there is the table encryption. Are they essentially the same thing its just that the table based encryption ensures the data is encrypted at rest and you can specify what tables to encrypt if you don't want them all.

Is there a speed/performance difference between the two?
Mon, Mar 12 2018 12:38 AMPermanent Link

Raul

Team Elevate Team Elevate

On 3/11/2018 7:45 PM, Graham Mylne wrote:
> I was just wondering what the differences in the encryption processes are. There is RemoteEncryption and then there is the table encryption. Are they essentially the same thing its just that the table based encryption ensures the data is encrypted at rest and you can specify what tables to encrypt if you don't want them all.

Yes, table encryption is encryption at rest - meaning actual on-disk
table is encrypted.

Remoteencryption encrypts data in transit when using client server (C/S
with DBSRVR).

They are independent - one can use remoteenryption to ensure network
traffic is encrypted but source table itself is not encrypted.


Raul
Mon, Mar 12 2018 1:51 AMPermanent Link

Graham Mylne

Ok awesome thats what i need just in transit, it seems really fast still, i didnt notice any performance changes, does it require a password to work or is that just another safeguard?
Mon, Mar 12 2018 10:30 AMPermanent Link

Raul

Team Elevate Team Elevate

On 3/12/2018 1:51 AM, Graham Mylne wrote:
> Ok awesome thats what i need just in transit, it seems really fast still, i didnt notice any performance changes, does it require a password to work or is that just another safeguard?
>

It does require a password to work but there is a default one specified
(elevatesoft)- it's basically a shared secret type where you have to
match them on server and client.

Even though everything works with defaults you might want to configure
this further:

1. DBSRVR has "Encryption Password" INI setting so you can change the
default password on server

Internally this setting :
https://www.elevatesoft.com/manual?action=viewprop&id=dbisam4&product=rsdelphiwin32&version=10T&comp=TDBISAMEngine&prop=ServerEncryptionPassword


2. DBSRVR allows both plain text and encrypted connections still but you
can enforce entryption using the "Encrypted Only" setting in the DBSRVR INI

This setting internally:
https://www.elevatesoft.com/manual?action=viewprop&id=dbisam4&product=rsdelphiwin32&version=10T&comp=TDBISAMEngine&prop=ServerEncryptedOnly


3. On client side you need to use remote session and then set the
RemoteEncryption property

https://www.elevatesoft.com/manual?action=viewprop&id=dbisam4&product=rsdelphiwin32&version=10T&comp=TDBISAMSession&prop=RemoteEncryption

4. Again on client side you need to set RemoteEncryptionPassword

https://www.elevatesoft.com/manual?action=viewprop&id=dbisam4&product=rsdelphiwin32&version=10T&comp=TDBISAMSession&prop=RemoteEncryptionPassword


In terms of performance there will be small overhead since each data
block would need to be encrypted on sender and decrypted on receiver but
this in most cases is not noticeable - as you observed.

Raul
Mon, Mar 12 2018 6:47 PMPermanent Link

Graham Mylne

Awesome response Raul, much appreciated.
Fri, Mar 16 2018 1:45 AMPermanent Link

Graham Mylne

Hi Raul

Do you know what happens when you set an encryption password and do not enforce encrypted connections? When the password is not the default password, any app that connects, including dbsys, requires a username and password but im not using an encrypted connection.
Fri, Mar 16 2018 1:45 AMPermanent Link

Graham Mylne

Just not sure why it requires login credentials and fails if there is a password.
Fri, Mar 16 2018 7:46 AMPermanent Link

Raul

Team Elevate Team Elevate

On 3/16/2018 1:45 AM, Graham Mylne wrote:
> Just not sure why it requires login credentials and fails if there is a password.

Graham,

Can you clarify - i'm not sure of the question.

If you do not enforce encryption at the dbsrvr then client can connect
either with or without encryption - it's now up to client to specify
using RemoteEncryption option if it wants to use encryption.


Normal username/password authentication is still used and required in
both cases.

Raul

Sun, Mar 18 2018 1:49 AMPermanent Link

Graham Mylne

Its basically something about our transaction code, I worked out that for some reason between our start and commit transactions we are setting the connection to encrypted but we are not reconnecting. We connect without encryption on, then start a transaction, call a server side procedure, then commit and its showing as encrypted. I am not sure quite why. I dont think i will worry too much at the moment i at least know where its doing it regardless but it is fine.
Image