E is for encryption
Encryption is the act of encoding data so that it cannot be understood by normal means. To be understood, it needs to be decrypted, and that can only be done by authorised parties.
Did you know?
Cryptography is “hidden or secret writing”; steganography is “covered or concealed writing”. The difference is privacy versus secrecy. Both date back to the classical Greeks with Spartans using the scytale transposition cipher, and Herodotus reported using tattooed messages on a slave’s head hidden by regrown hair.
Clearly, encryption is done to protect data and is often an important part of a security strategy. In the FileMaker Platform, there are many areas where data is encrypted – some of these are optional, others are the standard.
Challenge
Before reading any further, how many areas of FileMaker products can you name that use encryption? Consider all products in the FileMaker Platform.
Encrypted passwords
When you create a FileMaker security account, you specify an account name, password and select a privilege set. The password is encrypted and stored in the file. The encryption method used is a one-way hash, meaning that the stored encrypted password can never be decrypted.
So how does FileMaker Pro check that your password is correct when you log in?
The password you enter is encrypted by the FileMaker client using the same hash used when storing the account password. The your encrypted password is compared with the stored encrypted password, and if they match you are allowed access.
A one-way hash is also used for the FileMaker Server Admin Console password.
Did you know?
Before FileMaker Pro 7, passwords were stored in plain text. Hacking utilities existed that could easily extract passwords from files.
Database (file) encryption
Data stored in a standard FileMaker file is encoded but not encrypted. This means that if you can decode the file, the data is there in plain text. You do not need a password. Of course, you do need access to a physical copy of the file. Maybe you ‘found’ an old backup copy stored on a drive?
Starting with FileMaker 13, database files can be encrypted. This is referred to by FileMaker as Encryption at Rest ( EAR). Using the Developer Utilities in FileMaker Pro Advanced, a file or files can be selected and the option applied to Enable Database Encryption. To do this, you must supply a Shared ID, Full Access account name and password, and an Encryption Password.
The Shared ID is used to link multiple files in a solution.
It is strongly advised that the Encryption Password be complex, and as with other passwords, it is case sensitive. Write it down and store it securely! If you ever lose the Encryption Password for your file, no-one will never be able to access the file again (not even FileMaker Inc.).
When a file is encrypted, the user must enter the Encryption Password to open the file before entering their account credentials. The exception to this is when the file is hosted by FileMaker Server – the server can be authorised to host the file and store the Encryption Password so that users only need their account credentials to access the file. Importantly, closed files or backup copies made by the server are encrypted at rest. So the contents are secure even if someone can access a backup copy.
FileMaker uses AES-256 in CBC mode for file encryption. This is the encryption level required at the highest levels of government for top-secret data.
SSL for network communications
Data transferred from FileMaker Server to a FileMaker client over a network is not secured by default. It is possible to collect and decode packets of data sent. FileMaker Server allows the configuration of SSL with a custom certificate.
Did you know?
The standard FileMaker SSL certificate installed by default on FileMaker Server is intended for test purposes only. A custom SSL certificate is required for production use.
Enabling SSL on FileMaker Server will encrypt network traffic between FileMaker Server and:
- FileMaker clients – FileMaker Pro, FileMaker Go, FileMaker WebDirect
- remote Server Admin Console sessions
It will also encrypt:
- files uploaded from FileMaker Pro to FileMaker Server
- progressive download of interactive container data
It will not encrypt data between FileMaker Server and ODBC sources – this requires SSL configuration on the ODBC source. The same applies for communications withActive Directory or Open Directory for user authentication.
Did you know?
If you use FileMaker Pro as a host (for up to five guest clients), you cannot secure network communications between host and client.
Email notifications and directory services for FileMaker Server can also use SSL to encrypt communications.
Secure container storage
When you specify external storage for a container field, there is an option for secure storage. When this is selected, container data is stored in an obscured folder structure outside of the database file and each document is encrypted.
A typical secure storage folder structure is shown below. There are encrypted files named 2E85 and 112C. The file path is a UUID broken into parts.
The encryption method used for secure container storage depends on whether the file itself is encrypted. For encrypted files, secure container storage uses AES-256 in CBC mode; standard files use AES-128 in CBC mode.
The encryption key is held in the FileMaker file and is needed to decrypt the stored files. Without the FileMaker file, the stored files are not accessible.
FileMaker Go
FileMaker files stored on an iPad or iPhone device in FileMaker Go will be encrypted using the Apple iOS encryption as long as the device is passcode protected. There is nothing required to implement this encryption and the user does not require any encryption keys to access the files. This means that local files on a device are secure if the device is lost or stolen – the passcode is required to copy the files from the device.
Challenge Answer
Five – passwords, files, network traffic, container data and FileMaker Go files. Did you get all these encryption areas before you started reading? Are there any we have missed?
Did you know?
The author, David Head, has presented several FileMaker Security sessions at the annual FileMaker Developer Conference. Last year in Las Vegas, he presented a session titled Cryptography, SSL & the FileMaker Platform.