7 replies to this topic

[Tonchi]

I have .mdf database in my desktop application. What I want is to make sure that no one can reach the data even if he attach the .mdf file in SQL Management Studio or some other database IDE. I want of that database to be reachable only by my application. How can I do that?

[kernelcoder]

How did you created that file? Is it MySQL database file, MS Access File, MS SQL database file? The chance is that the file is a MySQL one as you the title says. So if it is MySQL, is it contains data only or the schema only or both? In case of MS Access or MS SQL, you can set password to it.

[Tonchi]

It is MS SQL. I know I can set a password but that's not what I want. Looking deep even I know in theory how to hack any password, but just in theory. So every person who knows how to create a semi professional code in any project can broke the password. That's why I have posted on other thread that I want to create my own encryption algorithm to protect my data. The problem is that I can't find anywhere on Google how to do that. I don't trust neither MD5, SHA1 or any other know algorithm

[Luthfi]

There are two ways I can think of to achieve this.

• Encrypt entire .mdf and .ldf files of the corresponding database. Your application is the only one that be able to decrypt the .mdf and .ldf. Therefore your application is responsible to decrypt the files, attach the files to your MS SQL Server, and when finish with the corresponding database it should detach it and then re-encrypt them back.
  
  As you can see, this approach does not protect the content of the database once it's been attached. Because the database still accessible to every concurrent session/user.
  
• Encrypt and decrypt the important values stored in the database on-the-fly. When you UPDATE/INSERT you have to encrypt the supplied values, and when you SELECT you have to decrypt the retrieved values.
  
  This is the most secure, but also the slowest.

Note that MD5 and SHAxx were not encryption algorithm. They're hashing/digesting algorithm.

[Tonchi]

thank you. i will consider your reply

[Luthfi]

No problem. Do you think the approach number 1 could be used for tutorial subject? I am out of idea for my MS SQL tutorials series.

[Tonchi]

Yes ofc

[WingedPanther73]

I have to question why you are doing this. If the data is the customer's data, they will probably want to be able to do reporting against the database, maintenance, etc. Also, "locking" the database prevents them from effectively implementing a backup policy. If your customers want an MSSQL based solution, they are not going to take kindly to you interfering with the process. Also, if you are using MSSQL, it is likely that you are in a client/server situation with multiple clients.

If you really wanted to, you could only store encrypted data in the database, but I think you are trying to do a "bad thing" ™.