Secure data storage

[Stian Hole]

Greetings,

I am currently planning to write a diary type application using Ruby and
FXruby, and I am therefor looking for a secure way of storing data.
Using plain text files is of course out of the question, but I was
thinking of using SQLite, could that be secure enough? The idea is that
I don't want people to be able to simply view a users diary entries by
opening a file (preferrably, the data should be secured with a password
(and username) defined by the owner).

I am fairly experienced with databases and programming, but rather new
to Ruby and having to think about the fact that other people might be
using my program and therefor unknown people might have direct access to
the computer.

Thanks for any answers, tips and suggestions

Best regards,
Stian Hole

 

[Michael Gorsuch]

I would consider simply building an 'encrypt' method that you call
before saving, and a 'descrypt' to be called while loading.

You can then call these no matter what storage medium you decide to use.

 

[Daniel Schierbeck]

I am currently planning to write a diary type application using Ruby and
FXruby, and I am therefor looking for a secure way of storing data.
Using plain text files is of course out of the question, but I was
thinking of using SQLite, could that be secure enough? The idea is that
I don't want people to be able to simply view a users diary entries by
opening a file (preferrably, the data should be secured with a password
(and username) defined by the owner).

What platform is your application for? If it's for a UNIX-ish platform
(Linux, OSX, etc.,) simple file access control may suffice. If you're
dead serious about it, you can use heavyweight encryption.

Cheers,
Daniel Schierbeck

 

[Stian Hole]

Stian Hole wrote:

What platform is your application for? If it's for a UNIX-ish platform
(Linux, OSX, etc.,) simple file access control may suffice. If you're
dead serious about it, you can use heavyweight encryption.

Cheers,
Daniel Schierbeck

I think it will probably be used mostly on Win XP computers, however
beeing a user from both worlds, I probably myself will at least use it
on a unix-ish platform. I do believe it can be possible to store the
data in the profile directory in WinXP, however I am unsure of how
secure this is.

 

[J Irving]

You could encrypt it under a password.

ezcrypto seems to do what it says on the tin. You need openssl
installed, but once it is, encrypting the content is simple:

str =3D "Your private stuffs here"
k =3D EzCrypto::Key.with_password( "mypassword", "somesalt" )
ciphertxt =3D k.encrypt( str )

It uses 128 bit CBC AES by default, which should be adequate.

cheers
J

 

[Stephan Mueller]

I think it will probably be used mostly on Win XP computers, however
beeing a user from both worlds, I probably myself will at least use it
on a unix-ish platform. I do believe it can be possible to store the
data in the profile directory in WinXP, however I am unsure of how
secure this is.

If each user has its own database file this should be okay (every user
has to be/should be interested in the privacy of his data anyway).

Of course this will not work in case several users access the same
database file.


Cheers,

Steph.