Tim has very kindly let me have an unlimited server trial so I can test things out.

One thing I've spotted is that the encryption password and engine signature are both stored in plain text in the server's ini file.

Assuming my testing goes well (it is so far) I'll want to do something about that. Anyone have an approach to share?

Roy Lambert

Roy,

> One thing I've spotted is that the encryption password and engine signature are both stored in plain text in the server's ini file.

I discussed that with Tim earlier and his answer was:

<<
Well, you can always modify the edbsrvr.dpr project and have it load the
password from an encrypted file if you do end up with a situation like
that.
Escalating the encryption methods is always an option.
>>

That seems to be the most efficient way.

Uli

On 9/21/2014 5:03 AM, Roy Lambert wrote:
> One thing I've spotted is that the encryption password and engine signature are both stored in plain text in the server's ini file.
> Assuming my testing goes well (it is so far) I'll want to do something about that. Anyone have an approach to share?

We don't use it for EDB but do need to store passwords in various config
files so our standard approach is adding salt, symmetric encryption
(AES256) and finally converting result to base64 for storage.

The problem of course is that now you have a chicken and egg problem -
where do you store the password that encrypts the actual entry in the ini ?

If you're OK with static value then easiest is to embed it in your
compiled software. This would likely be good enough for you - use a GUID
or such. Only way you can change it is by shipping new version of software.

Alternative is to generate something based on the windows install but
then moving to another system and whole backup/restore become major PITA.

Raul