I have a customer with an Access database (ugh!) in which credit cards are store

Question

I have a customer with an Access database (ugh!) in which credit cards are stored in plaintext (yikes!), so amongst other changes I'm doing in the app, I'm applying some encryption in there.

I've used Rijndael as the algorithm of choice, but I'm struggling to find the correct approach to storing the encryption/decryption key, since an access database is inherently source-visible. How can I provide decent security on this one to prevent someone grabbing the database (by local access - this machine is NOT Internet connected) ? I feel I'm omst of the way there, but missing this vital piece of the jigsaw

Explanation / Answer

You can use a password based key, which is a similar approach to the PGP method, create a key somehow (random clicks, random numbers etc.), encrypt it with a password and store it somewhere. When the user wants to access the DB, he enters the password, which is the key for the DB decryption key file and then you get the clear password for the DB.

The main idea is to remove the key from the machine itself, and pass it to the user, and meanwhile generate a unique key for each user (computer), so if I have the SW on my computer, I still don't have the key to another's DB.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.