Cloudscape and Security
Page 6 of 10

Encrypting Databases on Disk

Overview

Cloudscape provides a way for you to encrypt your data on disk.

Typically, database systems encrypt and decrypt data in transport over the network, using industry-standard systems such as SSL. This system works well for client/server databases; the server is assumed to be in a trusted, safe environment, managed by a system administrator. In addition, the recipient of the data is trusted and is assumed to be capable of protecting the data. The only risk comes when transporting data over the wire, and data encryption happens during network transport only.

However, Cloudscape databases are platform-independent files that are designed to be easily shared in a number of ways, including transport over the Internet. Recipients of the data may not know how, or may not have the means, to properly protect the data.

This data encryption feature provides the ability to store user data in an encrypted form. The user who boots the database must provide a boot password.

NOTE: Jar files stored in the database are not encrypted.

Requirements for Cloudscape Encryption

Cloudscape supports disk encryption, but you must supply the following:

  • An implementation of the Java Cryptographic Extension (JCE) package version 1.2.1 or higher.

    Cloudscape does not support earlier, non-exportable, versions of JCE (such as JCE 1.2). More information on JCE 1.2.1, including a product download, can be found at: http://java.sun.com/products/jce/index.html.

    With encryption, Cloudscape runs only in JDKs of version 1.2 or later.

    Any attempt to create or access an encrypted database without the libraries for an implementation of JCE of the proper version or without JDK 1.2 raises an exception; you will not be able to create or boot the database.

    NOTE: The JCE installation documentation describes configuring (registering) the JCE software. You do not need to do this; Cloudscape registers JCE dynamically.

  • the encryption provider

    An encryption provider implements the Java cryptography concepts. By default, Cloudscape uses the encryption provider included in the Sun JCE package.

Working with Encryption

Encrypting Databases on Creation

Cloudscape allows you to configure a database for encryption when you create it. To do so, you specify dataEncryption=true on the database connection URL.

The default encryption provider is com.sun.crypto.provider.SunJCE. You have the option of specifying an alternate encryption provider; see Specifying an Alternate Encryption Provider. The default encryption algorithm is DES, but you have the option of specifying an alternate algorithm; see Specifying an Alternate Encryption Algorithm.

Creating the Boot Password

When you encrypt a database you must also specify a boot password, which is an alpha-numeric string used to generate the encryption key. The length of the encryption key depends on the algorithm used:

  • DES (the default) (8 bytes)
  • DESede (24 bytes)
  • Blowfish-style algorithms (16 bytes)

NOTE: The boot password should have at least as many characters as the length of the encryption key. The minimum number of characters for the boot password allowed by Cloudscape is eight.

It is a good idea not to use words that would be easily guessed, such as a login name or simple words or numbers. A bootPassword, like any password, should be a mix of numbers and upper- and lowercase letters.

You turn on and configure encryption and specify the corresponding boot password on the database connection URL for a database when you create it:

jdbc:cloudscape:encryptionDB1;create=true;dataEncryption=true;
    bootPassword=clo760uds2caPe

NOTE:
If you lose the bootPassword and the database is not currently booted, you will not be able to connect to the database anymore. (If you know the current bootPassword, you can change it. See Changing the Boot Password.)

Specifying an Alternate Encryption Provider

By default, Cloudscape uses the encryption provider that comes with the JCE package, com.sun.crypto.provider.SunJCE. You can specify an alternate provider when you create the database with the encryptionProvider=providerName attribute. You must specify the full package and class name of the provider, and you must also add the libraries to the application's class path.

NEW: The ability to specify an alternate encryption provider is new in 3.6.

-- using the the provider library jce_jdk13-10b4.zip|
-- available from www. bouncycastle.org
jdbc:cloudscape:encryptedDB3;create=true;dataEncryption=true;
bootPassword=clo760uds2caPe;
encryptionProvider=org.bouncycastle.jce.provider.BouncyCastleProvider;encryptionAlgorithm=DES/CBC/NoPadding


-- using a provider
-- available from
-- http://jcewww.iaik.tu-graz.ac.at/download.html
jdbc:cloudscape:encryptedDB3;create=true;dataEncryption=true;
bootPassword=clo760uds2caPe;
encryptionProvider=iaik.security.provider.IAIK;encryptionAlgorithm=DES/CBC/NoPadding

Specifying an Alternate Encryption Algorithm

Cloudscape supports the following encryption algorithms:

  • DES (the default)
  • DESede (also known as triple DES)
  • Any encryption algorithm that fulfills the following requirements (Blowfish-style algorithms):
    • it is symmetric
    • it is a block cipher, with a block size of 8 bytes
    • it uses the NoPadding padding scheme
    • its secret key can be represented as an arbitrary byte array
    • it requires exactly one initialization parameter, an initialization vector of type javax.crypto.spec.IvParameterSpec
    • it can use javax.crypto.spec.SecretKeySpec to represent its key

      For example, the algorithm Blowfish implement in the Sun JCE package fulfills these requirements.

By Java convention, an encryption algorithm is specified like this:

algorithmName/feedbackMode/padding

The only feedback modes allowed are:

By default, Cloudscape uses the DES algorithm of DES/CBC/NoPadding.

Specify an alternate encryption algorithm when you create a database with the encryptionAlgorithm=algorithm attribute. If the algorithm you specify is not supported by the provider you have specified, Cloudscape throws an exception.

NOTE: After you create a database, you cannot change the encryption provider or encryption algorithm.

NEW: The ability to specify an alternate encryption algorithm is new in 3.6.

Booting an Encrypted Database

Once you have created an encrypted database, you must supply the boot password to reboot it. Encrypted databases cannot be booted automatically along with all other system databases on system startup (see cloudscape.system.bootAll of Tuning Cloudscape). Instead, you boot encrypted databases when you first connect to them.

For example, to access an encrypted database called wombat, created with the boot password cloudscape, you would use the following database connection URL:

jdbc:cloudscape:wombat;bootPassword=clo760uds2caPe

Once the database is booted, all connections can access the database without the boot password. Only a connection that boots the database requires the key.

For example, the following connections would boot the database and thus require the boot password:

  • the first connection to the database in the JVM session
  • the first connection to the database after the database has been explicitly shut down
  • the first connection to the database after the system has been shut down and then rebooted

NOTE: The boot password is not meant to prevent unauthorized connections to the database once it has been booted. To protect a database once it has been booted, turn on user authentication (see Working with User Authentication).

Changing the Boot Password

You can change the boot password for the current database.

CALL PropertyInfo.setDatabaseProperty(
    'bootPasword', 'oldbpw , newbpw');

where oldbpw is the current boot password and newbpw is the new boot password. This call commits immediately; it is not transactional.

NOTE: getDatabaseProperty does not actually return the boot password.