FileMaker Encryption With BaseElements

We here at DB Services love the BaseElements plugin. In fact we love it so much we decided to sponsor the development of HTTP POST in the plugin back at the beginning of 2012. Since then, we've used the HTTP POST functions in many web service integrations and are thankful for Goya's continued contributions to the FileMaker community with this Swiss-army-knife-esque, open-source plugin.

Just as we've needed HTTP POST many times over the years, we've also needed field-level encryption. So, as history tends to do, we repeated ourselves by sponsoring the development of the plugin again, but this time for encryption functions. The latest beta version of the BaseElements plugin (2.3 as of 4/23/2014) now includes a set of AES encryption functions that can be used to encrypt text fields in a FileMaker database.

Where Encryption Fits

The new encryption functionality in the BaseElements plugin allows you to securely store sensitive data, such as credit card numbers and SSNs (ideally you wouldn't store this data, but if need be, encryption is an important component of PCI and HIPAA compliance). Encrypting the entire database at rest, using FileMaker Pro 13 Advanced's new file-level encryption, is also important in protecting sensitive data, but will not help you once a user has the database open. Encrypting at the field level prevents unauthorized users from accessing sensitive data in open FileMaker files, whether that be from exporting records, checking out a field value in Data Viewer, or accidentally stumbling upon a developer layout displaying the field.

If you have a FileMaker system that could benefit from a tighter security policy, contact us to discuss helping you add encryption to your system using the BaseElements plugin.

New Functions Sponsored by DB Services

1. BE_Encrypt_AES( key ; text ). Does what it says on the tin: it encrypts a piece of text using the AES-256 bit encryption algorithm. AES is an industry-standard encryption algorithm developed by the National Institutes of Standards and Technology (NIST). The function outputs the results as a Base64-encoded string, so it can be stored in a text field.
2. BE_Decrypt_AES( key ; text ). The opposite of encrypting, decrypting takes the encrypted string and outputs back the original piece of text. You must use the same key you used to encrypt.

A Couple Things to Note

• Key length. From a functionality perspective, the length of the key doesn't matter: the plugin will work no matter how long the key is. My understanding is that the plugin will take whatever you pass as the key, MD5 hash it and use of first 256 bits of the hash as the real key, guaranteeing that the key is always 256 bits (AES-256 requires 256-bit keys). Despite the wonderful user-friendliness here, we strongly recommend you use a key of sufficient length and randomness, such as a UUID. The MD5 hashing doesn't increase the security of the encryption if an attacker uses the BaseElements plugin to try and guess the key.
• Initialization vectors. People familiar with AES will no doubt wonder why the functions don't include an argument for an initialization vector (IV). The plugin doesn't support IVs at this time. IVs add an extra layer of security to the encryption, by giving different output for the same input. In other words, if you encrypt “abc” twice, you will get two different results, as long as you use two different initialization vectors. Decrypting these two different results would give back “abc” as expected. IVs protect against dictionary attacks and rainbow tables, and also slow down brute-force attacks. These are the same protections you get when you salt a password before hashing it. IVs can be thought of as salts for encryption.

If you are interested in sponsoring the plugin yourself, or donating to the cause, check out the BaseElements Plugin Donations and Sponsorship page. Nick at Goya is a pleasure to work with and is very timely in responding to questions and requests.

We hope to see more of the FileMaker community sponsoring and contributing to the BaseElements plugin. FileMaker plugins on GitHub are like custom functions on BrianDunning.com: The more plugin code available to the community, the better off the community at large will be. Open source is a rising tide that lifts all boats!