Configuring Application Security Using Keychain

An application can make use of security features that use Keychain as persistent storage for a database encryption key by using the SUPKeyVault APIs defined by the SUPKeyVault class.

The SUPKeyVault class controls setting a key to the keychain, retrieving a key from the keychain, encrypting/decrypting a key with an application PIN, locking/unlocking a key vault with a PIN, and PIN management. An application explicitly retrieves and saves a database encryption key using the SUPKeyVault APIs, then sets the retrieved encryption key to SUPConnectionProfile.

  1. Modify the application to use SUPKeyVault to retrieve the database encryption key from Keychain at start-up: 
    SUPKeyVault * keyvault = [SUPKeyVault getSUPKeyVault:MESSAGING_VAULT_ID];

// keyVault must be unlocked by the application before the connection to server.

if ( [keyVault isLocked] )
{
  // Get the PIN from user through ENTER PIN dialog

  // Now unlock the KeyVault with the PIN
  result = [keyVault unlock: pin];
  if ( result == error )
  {
    // Take necessary actions
  }
}
NSData *dbKey = [keyVault key]; 

// start up Sybase messaging client after the keyVault is unlocked.
NSInteger result = [SUPMessageClient start];
if (result == kSUPMessageClientSuccess)
{
...
}
  2. Modify the application to set an encryption key to the current SUPConnectionProfile, to allow database operations to use this encryption key. Call these methods before performing any database operations: 
    SUPConnectionProfile *cp = [SampleApp_SampleAppDB connectionProfile];
[cp setEncryptionKey:dbKey];
  3. Modify the application to save the database encryption key to the Keychain by calling these methods: 
    if ( ![keyVault isLocked] )
{
	[keyVault setKey:dbKey];
}
Parent topic: Security APIs