The service has the "-ep" parameter but won't prompt for the encryption key and will not start. Error in Windows event log is "Missing database encryption"...duh: I expect it to prompt me!

Anybody can reproduce?

OS: Win 7 Pro 64 bits, 8Gb ram SQL Anywhere 16 dev edition

asked 19 Apr '13, 09:39

jmrouyre's gravatar image

jmrouyre
16112
accept rate: 0%


When running as a service, there is no way for the server to prompt for an encryption key. You will need to specify the -ek switch on the command line. If you want, you can specify the -ek switch in a file and use the @file syntax to pass it to the server. You can encrypt/obfuscate this file with dbfhide if you want.

permanent link

answered 19 Apr '13, 09:42

Graeme%20Perrow's gravatar image

Graeme Perrow
9.6k379124
accept rate: 54%

edited 19 Apr '13, 09:55

Volker%20Barth's gravatar image

Volker Barth
40.1k361549819

3

I would amend Graeme's response to say that if you want the file 'encrypted', use dbfhide -w or dbfhide -wm. Otherwise, the file is just obfuscated.

http://dcx.sybase.com/index.html#sa160/en/dbadmin/file-hiding-utility-syntax.html*d5e56897

(19 Apr '13, 09:53) John Smirnios
Replies hidden

FWIW, that exactly made my add "/obfuscate" in Graeme's answer at the same time...

FWIW2, one might even state that dbfhide -w/-wm uses strong encryption, however, AFAIK with a OS-supplied key... (it's using the DPAPI, right?)

(19 Apr '13, 10:10) Volker Barth

Services cannot prompt: Windows isolates all services so that they cannot access the desktop.

permanent link

answered 19 Apr '13, 09:41

John%20Smirnios's gravatar image

John Smirnios
11.9k396164
accept rate: 38%

That is not what the documentation states: "the database server is either not a Windows service, or it is a Windows service with the interact with desktop option turned ON" is a condition for the -ep and this is my case (desktop interaction is ON)

(19 Apr '13, 10:05) jmrouyre
Replies hidden

AFAIK, this depends on the OS version (older Windows versions surely allow services to interact with the desktop - Windoes 7 does not) - so the cited statement should be refined...

(19 Apr '13, 10:14) Volker Barth
1

The services isolation (aka session 0 isolation) was added by Microsoft in Windows Vista and exists for security reasons (ie, no user-level code running on the desktop can have a security attack vector into a system service via a GUI presented by that service). Also, Microsoft recommends (and requires for Windows Certification fwiw) that services never present GUI elements and warns that "interact with desktop" will likely be removed in a future version of the OS.

It looks like the -ep portion of the doc didn't get updated. I will add a note on DCX.

(19 Apr '13, 10:20) John Smirnios
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×46

question asked: 19 Apr '13, 09:39

question was seen: 4,067 times

last updated: 19 Apr '13, 10:20