Prev: Hot sale adicolour sneaker for men,women's,free shipping,worldwide express
Next: Quartz with Spring: more jobs with different input argument
From: Spud on 26 Apr 2010 11:41 We've been told that we need to implement on-disk encryption of our data files. We currently write them using RandomAccessFile and read them using FileChannel.read(ByteBuffer). Before I go off on my own, slog through java.security, and write a wrapper around these routines to encrypt/decrypt, is there an easy way to do it? Perhaps something built into the JDK that I'm missing?
From: Martin Gregorie on 26 Apr 2010 15:21 On Mon, 26 Apr 2010 10:41:36 -0500, Spud wrote: > We've been told that we need to implement on-disk encryption of our data > files. We currently write them using RandomAccessFile and read them > using FileChannel.read(ByteBuffer). > Why not simply store the files in an encrypted disk partition? The OS does all the grunt-work, including prompting for the password at boot time, and the application(s) don't need to change. The encryption is transparent to them because it takes place at a lower level. -- martin@ | Martin Gregorie gregorie. | Essex, UK org |
From: Mike Schilling on 26 Apr 2010 17:28 Martin Gregorie wrote: > On Mon, 26 Apr 2010 10:41:36 -0500, Spud wrote: > >> We've been told that we need to implement on-disk encryption of our >> data files. We currently write them using RandomAccessFile and read >> them using FileChannel.read(ByteBuffer). >> > Why not simply store the files in an encrypted disk partition? > > The OS does all the grunt-work, including prompting for the password > at boot time, and the application(s) don't need to change. The > encryption is transparent to them because it takes place at a lower > level. Then any app that can gain access to open the file can read it as clear text. Or am I missing something?
From: rossum on 26 Apr 2010 19:15 On Mon, 26 Apr 2010 14:28:42 -0700, "Mike Schilling" <mscottschilling(a)hotmail.com> wrote: >Martin Gregorie wrote: >> On Mon, 26 Apr 2010 10:41:36 -0500, Spud wrote: >> >>> We've been told that we need to implement on-disk encryption of our >>> data files. We currently write them using RandomAccessFile and read >>> them using FileChannel.read(ByteBuffer). >>> >> Why not simply store the files in an encrypted disk partition? >> >> The OS does all the grunt-work, including prompting for the password >> at boot time, and the application(s) don't need to change. The >> encryption is transparent to them because it takes place at a lower >> level. > >Then any app that can gain access to open the file can read it as clear >text. Or am I missing something? Any app that knows the password. An encrypted partition does indeed look like the simplest solution. rossum
From: Martin Gregorie on 26 Apr 2010 19:22
On Mon, 26 Apr 2010 14:28:42 -0700, Mike Schilling wrote: > Martin Gregorie wrote: >> On Mon, 26 Apr 2010 10:41:36 -0500, Spud wrote: >> >>> We've been told that we need to implement on-disk encryption of our >>> data files. We currently write them using RandomAccessFile and read >>> them using FileChannel.read(ByteBuffer). >>> >> Why not simply store the files in an encrypted disk partition? >> >> The OS does all the grunt-work, including prompting for the password at >> boot time, and the application(s) don't need to change. The encryption >> is transparent to them because it takes place at a lower level. > > Then any app that can gain access to open the file can read it as clear > text. Or am I missing something? True enough. The OP didn't say anything about why they'd been told to encrypt the files, so I merely offered the simplest solution to implement. I also assumed that the OP would come back and tell us if disk volume encryption was unsuitable and, hopefully, why. Disk volume encryption is good enough to prevent data loss if the disks are stolen. It will also do the job if the computer is stolen provided it isn't a laptop that was suspended rather than shut down. I don't know about a hibernating laptop, but would guess it is secure since hibernation seems to be just a modified form of a cold boot. In any case, since this is so simple to implement[*] it should be looked at first and discarded if unsuitable. After that you can move on and look at more complex solutions. [*] Under Linux you just format an encrypted partition and set the password when prompted by the formatter. Each time the partition is mounted you get prompted for its password. Doubtless its about equally simple to use under Windows and other OSen. -- martin@ | Martin Gregorie gregorie. | Essex, UK org | |