feat: database encryption using sqlcipher#539
feat: database encryption using sqlcipher#539therajanmaurya wants to merge 1 commit intoopenMF:masterfrom
Conversation
therajanmaurya
force-pushed
the
sqlcipher
branch
from
6f7c6a7 to
3e42929
Compare
|
|
||
| @Override | ||
| protected String getCipherSecret() { | ||
| return "dbflow-rules"; |
There was a problem hiding this comment.
This line of code is the problem, Secret is something that people cannot know. We need to find a way to make it secure.
There was a problem hiding this comment.
I have two ways to implement
- What about if we make the MD5 hash of username and password entered by the user. And save them in the custom data table on the server.
- Add an extra screen and give the user to enter the database encryption key after the login and save then on server and double encrypt the key and save in Shared Preference So no one can get the key other than admin.
There was a problem hiding this comment.
@satyan Suggestion
One of the options could be to use user's password entry to encrypt the key on the client. So you could only decrypt with the help of user.
It adds a layer of entropy to the system. However, could mean that we ask the user for password multiple times..
Android also supports a hardware backed keychain support. You could potentially explore that as well to store the key.
Having a server backed key is a good option too. Except, in offline case, it'd be difficult to obtain. Do not store in shared preferences, as it's stored in a file on the device in clear. Easily obtained.
2 participants
Please make sure these boxes are checked before submitting your pull request - thanks!
Apply the
MifosStyle.xmlstyle template to your code in Android Studio.Run the unit tests with
./gradlew checkto make sure you didn't break anythingIf you have multiple commits please combine them into one commit by squashing them.