locked
deploying app and protecting mdf file from being read, suggestions. RRS feed

  • Question

  • Can anyone point me in the right direction, I know this type of question has been asked before but I am not after a foolproof solution, just something relatively easy to implement with basic or moderate levels of protection, and maybe some ideas on how to implement it/code examples/samples.


    I will be deploying an application on CD to clients. I want to discourage a hacker by making it difficult for him to read the tables in the mdf file. I only want the mdf file accessable through the application. The database will be read only and relatively small. i'm using SQL server 2005 express

    Thanks.
    Friday, January 9, 2009 8:06 AM

Answers

  • Hi trav,

    The best way to do this would be to encrypt the data in the tables, and decrypt the information using the application.  I would encourage you to encrypt only the sensitive data in the application, because there is of course some overhead to encryption.  A good introduction to SQL Server Encryption can be found in the MSDN Article How To: Encrypt A Column of Data.

    Is this the kind of thing that you're looking for?


    Aaron Alton | thehobt.blogspot.com
    • Marked as answer by trav9000 Wednesday, January 14, 2009 2:05 AM
    Sunday, January 11, 2009 2:26 AM

All replies

  • Hi trav,

    The best way to do this would be to encrypt the data in the tables, and decrypt the information using the application.  I would encourage you to encrypt only the sensitive data in the application, because there is of course some overhead to encryption.  A good introduction to SQL Server Encryption can be found in the MSDN Article How To: Encrypt A Column of Data.

    Is this the kind of thing that you're looking for?


    Aaron Alton | thehobt.blogspot.com
    • Marked as answer by trav9000 Wednesday, January 14, 2009 2:05 AM
    Sunday, January 11, 2009 2:26 AM
  • yes, I think that is the approach I will take, with the columns.

    So, I have done that using encryptbypassphrase and then in the tableadapter on the form, I then decrypt the columns. I have to hardcode the passphrase in the fill() query. It shows up properly in the datagrid, ie. unencrypted.

    Taking this approach do you know if it is easy to debug and get the passphrase from the tableadapter query ?   Would any obfiscation strategies help , or should I be looking for a 3rd party obfiscation solution ? or would obfiscation not help much ?

    Thanks.
    Monday, January 12, 2009 5:20 AM