1 2 Previous Next 24 Replies Latest reply on Apr 7, 2015 11:17 AM by disabled_jackrodgers

    Encryption At Rest on FMS 13 not accessible by FMP12.0v5

    taylorsharpe

      I recently EAR'd a FM13 database that had been accessible on FMS 13.0.5.520 by FMP 12.0v5.  Server is Mac OS X Yosemite 10.10.2.  After EARing it, it seems FMP 12.0v5 cannot open it on the server anymore.  I guess that is an expected behavior and just have to tell those remaining FMP 12 users they have to upgrade?

       

      PastedGraphic-1.png

        • 1. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
          BruceHerbach

          i think you are correct. I believe that EAR is a 13 only feature.

          • 2. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
            taylorsharpe

            EAR is a 13 only feature, but its between the FMS service and the OS and not the client connections.  The client connections are not EARing anything, only the server.  That is why I was surprised that a hosted database that is EARed is no longer accessible in 12. 

            • 3. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
              Mike_Mitchell

              Taylor -

               

              According to Jon Thatcher's DevCon session last year, EAR renders a database unopenable by 12 clients. Don't know if that's in the documentation anywhere, but that's what he said.

               

              Mike

              • 4. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
                taylorsharpe

                I heard the presentation... and, yes, I know FileMaker 12 will not be able to unEAR a database locally.  But in this case, FMP12 is not doing the EARing.  It is FMS13.  I understand you can't open an EARed database with FMP12.  What I did not hear was that FMS13 could not be accessed by a FMP12 client if the FMS13 file is EARed.  After all, a FMP12 client can open an FMS13 file.  That is what I was surprised about.

                 

                I did look at the documentation and it didn't say anything one way or the other.  But I guess the devil is in the details and I made an incorrect assumption. 

                 

                On the other side of things... I always like to just tell my clients its time to upgrade.  I prefer them on current versions anyway. 

                • 5. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
                  steveromig

                  Perhaps this will clarify things a bit...

                   

                  http://help.filemaker.com/app/answers/detail/a_id/11991/

                   

                  Included in mention of older clients not being able to access an encrypted (EAR) file.  So, the behavior you are seeing is expected.

                   

                  Steve Romig

                  FileMaker, Inc.

                  • 6. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
                    Mike_Mitchell

                    Yes, I do too. I'm about to force a few customers onto the latest version in response to their complaints about performance (Perform Script on Server, anyone?).   

                     

                    Thanks for the Knowledge Base link, Steve.

                    • 7. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
                      taylorsharpe

                      Steve, I read that article over and OVER, but thanks for sharing it.  I should have done that earlier and appreciate you providing it.

                       

                      EARing is a process between the hosting service/application and the OS.  That article is VERY clear about only FM13 being able to EAR.  But once the database is EARed and shared by FMS13, what does EARing have to do with the network connection between the client and server?  I understanding if you're talking about the network cipher (AES 256 bit), but that is not what EARing is about.  EARings is all about storing the database at the OS level in an encrypted state.

                       

                      When you read this article, you understand that the hosting service/application is EARing to the OS.  How in the world does a client that is not hosting the database have anything to do with how data is stored on the OS of the hosting device?  When you understand how EARing works, it makes you question how a networked client has anything to do with a hosted files' storage process to the OS.

                       

                      This article would be more informative if it was amended to be specific about older clients also not being able to read an EARed file from another host that is doing the EARing even if they aren't doing the EARing.  And also I would be very interested in knowing why, but often such articles don't explain the why and doesn't make logical sense to me... albeit with limited information. 

                      • 8. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
                        steveromig

                        EARing is a process between the hosting service/application and the OS.  That article is VERY clear about only FM13 being able to EAR.  But once the database is EARed and shared by FMS13, what does EARing have to do with the network connection between the client and server?

                         

                        Nothing.  EAR is only at the file level.  Any encryption done between the client and the server would be handled by technology like SSL and SSL certificates.

                         

                        EARings is all about storing the database at the OS level in an encrypted state.

                         

                        Correct

                         

                        When you read this article, you understand that the hosting service/application is EARing to the OS.  How in the world does a client that is not hosting the database have anything to do with how data is stored on the OS of the hosting device?  When you understand how EARing works, it makes you question how a networked client has anything to do with a hosted files' storage process to the OS.

                         

                        This article would be more informative if it was amended to be specific about older clients also not being able to read an EARed file from another host that is doing the EARing even if they aren't doing the EARing.  And also I would be very interested in knowing why, but often such articles don't explain the why and doesn't make logical sense to me... albeit with limited information.

                         

                        I don't know that I am completely understanding the ask here. 

                         

                        A host isn't doing the EARing as the file has already been encrypted by the time it gets to any host.  The only thing a host (say Server 13) does, it prompts you to enter in the encryption password the first time the file is opened on the host so that clients accessing the file do not have to worry about entering in any encrypted password going forward.  But the host has to be aware of what EAR is which is why older versions of Pro and Server do not know what to do with an EARed file.

                         

                        Steve Romig

                        FIleMaker, Inc.

                        • 9. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
                          BruceHerbach

                          Actually both are opening the file. FMS is hosting it but FM Pro is using it. So both have to deal with the encryption.

                           

                          HTH

                           

                          Sent from my mobile device... Please excuse typos.

                          • 10. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
                            taylorsharpe

                            The host, FMS13, does the EARing between the FileMaker Service and the operating system at the file level.  What I don't understand as to why EARing has to do with the client-server connection?  The client is not doing the EARing, the host is.  With that assumption, why would FMP12 need the EARing feature if all it has to do is make a network connection to the host server.

                             

                            I disagree that the host is not doing the EARing.  You have to initially encrypt it, which the FMS is not doing and is done ahead of time with FMPA before hosting.  But to host it you also have to decrypt the information arriving at the host from the file system level and that is apart of EARing too.  And that is why I concluded that FMS is doing EARing. 

                             

                            For this reason, when you open a FMS hosted EAR'd file, the client does not have to put the EAR decryption password in.  That is done by the FMS Admin console because FMS is handling EAR decryption.  If you don't have to put the EAR password in on the client and the client only talks to the server via the network and not at a file system level, why is the EARing feature needed on an FMP12 client?  Apparently I don't understand, but that is why I am asking. 

                             

                            Obviously I have made a number of assumption here.  It could be that the FMS host passes the decryption password to the client who then decrypts the entire database before using it.  But I ruled that out because encrypting and decrypting the database over the network is just ridiculously slow compared to file level access by the host that then only provides data to the client as requested.  So I assumed it is the host that does the decrypting... and then encrypting again when it stores the data back at the file level.  With this assumption, I just don't see where the client has anything to do with EARing and therefore why an FMP12 client can't connect to an EAR'd FMS hosted file. 

                             

                            In your last paragraph, you conclude what I do.  Yes, the host has to be aware of the EARed file.  I agree.  Why does the client also have to be aware of it?  I am not asking if FMP12 can open locally an EAR'd file, I'm asking if it can open via a network (TCP/IP, fmnet) the network connection to the hosted file, which I assume has nothing to do with the EARing.  But I'd be very interested in knowing if the fmnet has something to do with EARing and that could be my mistake. 

                            • 11. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
                              taylorsharpe

                              Hope I didn't make Steve mad and him go away (sorry if I did).... I just know enough about security to know that file level encryption and network connection encryptions are completely different and if the only way you are connecting is over the network, that should have nothing to do with security at the OS/file level.  Then again, that may be my thinking error.  But thanks for any input you can give Steve. 

                              • 12. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
                                jormond

                                I understand what you mean Taylor. If the file is open on server, it should be able to handle the decryption of the data before it sends it.

                                 

                                However, I believe the request for the data has to tell FMS what data to fetch and decrypt. Something in FMP 13 is clearly sending a command or connection state that is related to the EAR.

                                 

                                I think FMS is not actually EAR'ing...it's DFT'ing ( Decrypting for Transit ) and EIT'ing ( Encrypting In Transit ) if you use SSL.

                                • 13. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
                                  taylorsharpe

                                  Josh gave the first plausible explanation I've heard.  But it is just us guys technically guessing how the security process works.  It would be nice if FileMaker better explained it. 

                                   

                                  But all my questions about FMP12 not connecting... its all a bit moot with FMS13.0v9.  So... just telling them all to upgrade to 13.0v9 on clients if they want to connect to my server for development.  Fun fun explaining that.  I upgraded tonight after everyone was off and expected a bunch of calls in the morning <grin>. 

                                  • 14. Re: Encryption At Rest on FMS 13 not accessible by FMP12.0v5
                                    Mike_Mitchell

                                    The interesting part is I remember some discussion at DevCon having to do with EAR not significantly affecting performance because the database is decrypted at the server and then cached. My notes from Jon Thatcher's session indicate that each block is decrypted by the Draco engine when it's read into the RAM cache, then re-encrypted when written to disk.

                                     

                                    Clay Maeckel mentioned during the performance panel that EAR doesn't hit you too hard on performance for this reason. Once the packets are decrypted into the cache, they stay decrypted and are read from there. So it's a bit of an interesting topic.

                                    1 2 Previous Next