Jump to content

Best Practice Encryption Key

John Kamm

By John Kamm
in Security Concepts

 Share

This topic is 5870 days old. Please don't post here. Open a new topic instead.

Recommended Posts

John Kamm Explorer

John Kamm

Posted
Posted

We are working through the issues of PCI compliance and need to add encryption to some of our fields.

Question:

If a literal string is included as part of a script step, like $key = "ASD87654", when the script is saved is that literal stored as clear text in the FileMaker file or is the script compiled somehow masking or converting the literal string to something that would not be recognizable?

Same question for a function, is the function compiled so as to mask its contents?

Or, in the context of the FileMaker file being read in a text editor, is this a non issue? The files are secured with a developer's account and users will not have access to the script editor, function editor or the field definitions.

Perhaps more directly, for those of you using encryption, where is it safe to locate the key?

How about in pre-7 systems, would the keys be in clear text in calculations or script steps when viewing the file in a text editor?

Link to comment
Share on other sites
Steven H. Blackwell Grand Master

Steven H. Blackwell

Posted
Posted

You note:

The files are secured with a developer's account and users will not have access to the script editor, function editor or the field definitions.

That's probably not sufficient. At a minimum, you should remove the [Full Access} Accounts with the Developer Tool.

It really is not safe to store the key--or at least the entire key--anywhere in the file itself. If the key were to be stored in a field, that field [color:red]absolutely must be set to be to prevent its being read. The problem is that may render the key unsuable for encryption or decryption by any of the subordinate user Accounts. If it is stored in the script, it is not outside the realm of possibility that the contents of the script could be read.

What are the specific threats you're trying to address? What are the risks of those threats' occurring? What would be the level of impact of a breach? Answers to these questions are important to help you assess what is the appropriate approach to this issue.

Take a look at 24 U's Hasp Encryption system. It might provide what you need.

Steven

Link to comment
Share on other sites

This topic is 5870 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept