Product Documentation

Database Administrator's Guide

Previous Topic

Next Topic

Master Password Verification Options

FairCom DB advanced encryption (AES, Blowfish, Twofish, 3DES) requires a master password to protect encrypted file access. Before starting FairCom DB for the first time with Advanced Encryption enabled, the Administrator must use the ctcpvf utility to create the master password verification file. Each time FairCom DB starts, it prompts for the master password to allow it to open encrypted files.

ctcpvf creates the master password verification file. It accepts optional parameters: filename (the file name to create) and password (the master password). If the parameters are not given, ctcpvf will prompt for the required information.

Usage

ctcpvf [-c <cipher>] [-f <filename>] [-k <key>] [-s <store>]

Where:

  • -c <cipher> - Use encryption cipher <cipher>. Supported ciphers: aes256 and aes128. Default is aes256.
  • -f <filename> - Create password verification file <filename>. Default is ctsrvr.pvf.
  • -k <key> - Use <key> as the master key.
  • -s [<store>] - Store key in encrypted file <store>. Default is ctsrvr.fkf.
  • -syslevel - Create encrypted store file with system-level encryption: all user accounts on the system can decrypt it.

Note: If you don't use the -syslevel switch, you must run the FairCom Server under the same user account that was used to run the ctcpvf utility that created the master key store file. Using the ‑syslevel switch creates the master key store file so that it can be opened by any user account on that machine, which allows you to run the FairCom Server under any user account on the system. (See Advanced encryption master key store encrypted at system level on Windows.)

Note: FairCom DB looks for the file ctsrvr.pvf in the server binary area, so this file name should be specified. ctcpvf.exe creates the ctsrvr.pvf file in that same directory where it is run (e.g., the tools directory). On launch, the server looks for ctsrvr.pvf in the server directory, so ctsrvr.pvf needs to be moved or copied to the server directory.

Key Store Option

By default, this master key must be presented to FairCom DB on startup as prompted. However, this prompted interaction is not always possible. Consider the case of a failover strategy for business continuity, or the case where no single person should ever know the complete key as keys are built from random secure key generators. FairCom DB supports a key store file to provide this key value at startup.

The ctcpvf utility -s option is used to select the master key length, and to write the master key to an encrypted keystore file <store>.

The FairCom DB configuration option MASTER_KEY_FILE specifies the key store file, <store>, from which FairCom DB reads the master encryption key. On Linux and Unix systems, the master key is stored AES encrypted in a file on disk, with permissions set such that only the user that created the file can read it (permissions are set to 400). For complete security, it is important to use file system access safeguards to fully protect this key store file.

Non-server applications must set the environment variable CTREE_MASTER_KEY_FILE=<keystore> to enable using a key store rather than prompting for the master password at FairCom DB initialization.

Note: The key file (or user key on Linux and Unix) is encrypted using AES. The encryption is intended to only prevent casual inspection of the data when the file's contents are viewed. The permissions on the file are the defense against an unauthorized user reading the file. The Windows master key approach uses the Microsoft DPAPI to encrypt data with user credentials, and only that user can decrypt the file. Unix support is a bit weaker in this regard as it relies on file permissions, which can potentially be changed such that another user could read and decrypt the key.

Previous Topic

Next Topic

Advanced encryption master key store encrypted at system level on Windows

FairCom DB supports creating an advanced encryption master key store encrypted at the system level on Windows. Prior to this revision, the encrypted master key store file created by the ctcpvf utility on Windows could only be decrypted by the user account that created the file. This made it difficult to set up a Windows service that is using the LocalSystem account to be able to read the encrypted master key store file. (The ctcpvf utility had to be run as LocalSystem when creating the master key store.)

An option has been added to the ctcpvf utility to create the encrypted store using system-level encryption, meaning that any user account on the system can decrypt the file. Use the ctcpvf utility's ‑syslevel option to use this feature. Example:

ctcpvf -k mymasterkey -s ctsrvr.fkf -syslevel

This option has been added to the ctadmn utility's "Change advanced encryption master password" option. Example:

Enter the name of the filename list file >> files.txt

Enter the current advanced encryption master password >> ****************

Enter the new advanced encryption master password >> ******************

Please confirm the new master password by entering it again:

Enter the new advanced encryption master password >> ******************

Enter the encryption level [U]ser or [S]ystem for the encrypted store >> u

Changing master password for the specified files...

Successfully changed the advanced encryption master password.

See ctadmn.c for an example showing how to call the SECURITY() function with mode of SEC_CHANGE_ADVENC_PASSWD to change the master key. If you want to create the master key encrypted store using the system-level encryption option, OR in the ctENCMODsysl bit to the options field of the ctENCMOD structure whose address you pass to SECURITY().

Note: This support was added on the Windows platform only.

TOCIndex