New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Database may get decrypted after changing couple of bytes in database header w/o 'agreement' from crypt plugin. [CORE5213] #5494
Comments
Modified by: @AlexPeshkoffassignee: Alexander Peshkov [ alexpeshkoff ] |
Modified by: @AlexPeshkoffreporter: Alexander Peshkov [ alexpeshkoff ] => Dimitry Sibiryakov [ aafemt ] |
Commented by: @aafemt ALTER DATABASE DECRYPT is better to be disabled completely. It won't help much, just close one of the ways to get decrypted database without modifying engine. Encryption of a database should be a one way ticket. |
Commented by: Ann Harrison (awharrison) Surely the Alter Database Decrypt requires the encryption key ... |
Commented by: @aafemt Yes, but in the case of superserver received key in secondary connection is neither checked nor used. |
Modified by: @aafemtsecurity: Developers [ 10012 ] |
Commented by: @AlexPeshkoff Ann, certainly (like any other operation on encrypted database) it's decryption requires the key. But as I see the problem here is that currently a key can be used by db crypt manager silently for any purpose - decrypt blocks needed for normal DB operation or decrypt hole database block by block. I.e. before decryption of whole database crypt manager should ask crypt plugin - is it OK to decrypt the database? Disabling ALTER DATABASE DECRYPT is not an option IMHO - someone may need this operation (for example) in order to later encrypt it with new, better one plugin. |
Commented by: @aafemt IMHO, decrypting of a database is a task for standalone utility, operating on file level. "Encrypted" flag must stay on header till the end of whole process. Better yet, decryption should go into a new file to preserve original database on error. |
Commented by: @asfernandes > Yes, but in the case of superserver received key in secondary connection is neither checked nor used. Why? |
Commented by: @AlexPeshkoff Protected encrypted checksum of valuable fields with hash stored in DB header. Check hash to be valid on database open. |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 3.0.1 [ 10730 ] Fix Version: 4.0 Alpha 1 [ 10731 ] |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] QA Status: No test => Cannot be tested |
Submitted by: @aafemt
For databases distributed in encrypted form it's necessary to avoid any ability to be decrypted by client including one mentioned in this issue.
Commits: 5fbbae6 88748bd
The text was updated successfully, but these errors were encountered: