Hello, I am aware of some suggestions for the management of encryption keys in http://sqlanywhere-forum.sap.com/questions/27305/encryption-key-management but that was about a year ago. Does anyone have any updated or additional suggestions of managing keys. HA db access will be from a Java EE based system. Thank you. asked 19 Apr '17, 18:54 AlK |
To what "encryption key" exactly are you relating - is the database strongly encrypted, or does it relate to communication encryption (TLS) - or "storing" user credentials?
You may have a look at that other FAQ as well, and others tagged with "security" or "encryption".
Note that SQL Anywhere's "simple encryption" is merely an obfuscation. That includes the usage of "file hiding", unless used with options -w/-wm.
In addition to the database features mentioned on the other thread ... there are also J2EE best practices you might want to investigate. You might want to consider securing encryption keys the same way you secure passwords in that domain; lots of practice there. Other practices may exist that I may not be aware of.
As to needing to know such keys, that should only apply to encrypted communications and there you are mostly looking at certificates and trusted C/As and that is not necessarily something that needs to be exposed in the Java code or properties.
Further while database encryption does requires a key, that normally needs to only be known within the confines of the hosting VM/machine for that. Starting the database as an automatic service/daemon usually avoids issues there.