This repository contains the code for our A Usable Encryption Solution for File-Based Geospatial Data within a Database File System paper https://www.mdpi.com/2624-800X/4/2/15
Note that the Appendix S figures mentioned in the paper are contained within Appendix D (Security solution use with classical shared folders) in this repository.
Setup ECMSDK
The following YouTube video YouTube video (https://www.youtube.com/watch?v=gR6l1tUspwQ) shows how to start ECMSDK on Windows OS. Please click on video image.
DBFSFileCrypto Package
The DBFS File Crypto package is developed for file encryption decryption solution for use within ECMSDK, an open-source DBFS product. As such, it is coded in Oracle PL/SQL for implementation within the (free) Oracle 11G XE database. However, the code structure can be used to implement the encryption solution within other DBFS products, such as IBM DB2 Content Manager.
The following video demonstrates the use of the encryption-decryption solution.
Initial Encryption-Decryption Scripts to get started
The encryption and decryption scripts in the folder "gettingStartedEncryptionDecryption" will assist in getting started on encryption-decryption within ECMSDK.
Main Encryption-Decryption Script
The source code of the DBFS File Crypto Package first obtains details of single-user and multi-user GIS files specified for encryption by DBFS users and then calls either the encryption or the decryption procedures. The procedures within this package are executed upon GIS-DBFS user session creation and termination in ECMSDK.
The encryption solution consists of three parts, available as separate PL/SQL files
- Catalogs.sql - the database tables storing the encryption keys for single-user and multi-user files.
- ECMSDK_SpatialCrypt.sql - the encryption-decryption solution implemented in this PL/SQL package, and
- ECMSDK_SessionBasedTrigger.sql - the user-session-based trigger that calls the encryption and decryption procedures in the above package.
These tables and the encrypted column definitions are only possible with the Oracle database version 10g Release 2 and onwards.
Script Usage: All three SQL scripts are to be executed by the Database administrator (DBA). The DBA can use a command-line facility, such as SQLPlus, and issue these commands from his or her Oracle account as follows, in this order.
SQL > @Catalogs.sql
SQL > @ECMSDK_SpatialCrypt.sql
SQL > @ECMSDK_SessionBasedTrigger.sql
Additional details are provided in each of the scripts.
Oracle Wallet Setup:
The Oracle wallet can be initialised by issuing the following command, which will: create a wallet, create a master key for the entire database, and open the wallet.
SQL > ALTER SYSTEM SET encryption key identified by "hdgr57fnle39dncv";
Subsequently, after each table creation with an encrypted column specification will cause the TDE to create a separate key for each table.
Additional Appendix material:
Also included is an Appendix (within the Appendix_DBFSSpatialCrypt.pdf file), that includes the following:
- Appendix B - Detailed encryption-decryption times for spatial files within DBFS
- Appendix C - DBFS encryption solution - (showing catalog tables) including Oracle ECMSDK session-based trigger
- Appendix D - Security solution use with classical shared folders
- Appendix E - Security solution implemented within database-driven GIS Web portals & Web maps
- Appendix F - The algorithm pseodocode for the encryption process.
The Appendix Figures prefixed with S in the manuscript (for example, S8 and S9) refer to the corresponding figures in Appendix D, that is Figure D8 and D9.