Re: Server side encryption - Newbie




Paul Rubin wrote:


Anyway, if I understand it, your basic plan is something like:

- Users log in and enter the pass phrase. The server uses the pass
phrase to decrypt the key file and reconstruct the static key in
memory. It uses the in-memory key to access the encrypted data.

I'm not sure I understand the benefit of encrypting the key. Doesn't
that just shift the risk from: "being able to find the key on disk",
to: "being able to find the key in memory"? Is the latter any harder
than the former? (given that the memory in question probably ends up in
the swap file anyway, so the attacker can look there first)

TC (MVP MSAccess)
http://tc2.atspace.com

.