1 Introducing Oracle Berkeley DB Security

Welcome to the Oracle Berkeley DB Security Guide. Berkeley DB is a general-purpose embedded database engine capable of providing a wealth of data management services. It is designed for high-throughput applications requiring in-process, bullet-proof management of critical data. Berkeley DB can gracefully scale from managing a few bytes to literally terabytes of data.

You use Berkeley DB through a series of programming APIs, which give you the ability to read and write your data, manage your database(s), and perform other advanced activities, such as managing transactions. Because Berkeley DB is an embedded database engine, it is extremely fast. You compile and link it to your application in the same way as you would any third-party library. This means that Berkeley DB runs in the same process space as does your application, allowing you to avoid the high cost of interprocess communications incurred by stand-alone database servers.

Be sure to run the db_verify utility on any Berkeley DB file provided by another party before doing anything else with it. This also applies if you have any reason to believe that a Berkeley DB file is corrupt, or that it may not be a valid Berkeley DB file. See the Oracle Berkeley DB Standalone Utilities Guide for more information about db_verify.

Security within Berkeley DB is achieved primarily through the use of encryption. The encryption support provided with Berkeley DB is intended to protect data from an attacker who has obtained access to the media on which a Berkeley DB database is stored. However, it will not protect applications from attackers who are able to read system memory on the system where Berkeley DB is running. Other measures outside of Berkeley DB (and hence beyond the scope of this document) are required to provide this kind of system security.

Berkeley DB distribution packages including the letters "NC" in the package name do not offer encryption. If you need encryption, ensure that you have downloaded the correct package and that you are following all legal requirements for encryption.

Assuming you have a package that allows encryption, cryptography is enabled for Berkeley DB base libraries, and disabled when building the optional Berkeley DB SQL and JDBC libraries. It you want to change the defaults, see the configuration flag "--with-cryptography" in the Oracle Berkeley DB Installation and Build Guide for more information.

You can configure security for your Oracle Berkeley DB installations by following the steps detailed in the chapters below.