I thought I would make a blog post about the new Eaglesoft AES-256 encryption that is new in Eaglesoft 21 and seems to happen automatically. At least with versions 21.20.7 and 21.20.8
"Note: For offices that have encrypted their data using AES-256 encryption in version 21 and above, please work with our support department prior to moving your data to a new server. It is recommended that you decrypt your data first, move the data to the new server, and then encrypt the data again once it is on the new server. If this is not done, your Eaglesoft Server likely will not start on the new server due to machine specific information in the encryption"
I was on the phone with support because I couldn't get a new workstation to authenticate correctly with the server, the office recently changed ownership so the office license had changed and the license txt files on the server were wrong. I also asked why the Patterson App Server showed a lock because I had seen it before.
She said the version we are using once installed, will encrypt the database in the background automatically. She said sometimes it fails, and then the support people have to fix it. She sighed. =)
I.. assumed.. that the AES-256 bit encryption was based off the license but this morning I was bored so I decided to read up on this and I see some of this is based off of Machine Specific Encryption.
Basically, the computer encrypts the data but part of the key is a randomly generated key that is part of your computer when windows is installed. C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
If I encrypt a file with DPAPI (Microsoft DataProtect API), the file cannot be transferred to another computer. How is Patterson encrypting the data? One program that is handy is Nirsoft's and will work on Dentrix's dtx.config but will not encrypt it on a new machine. I wrote a tool to do that though. I wonder if that tool will work on the Eaglesoft database.
https://www.nirsoft.net/utils/dpapi_data_decryptor.html
Because MANY people will NOT "decrypt the data" before moving to a new server. Let's say the server dies, and so... we restore from backup. The backup may be encrypted with machine specific encryption? Long story short, is the encryption key based off your license or machinekey and stored on the cloud somewhere???? Does Patterson backup our encryption keys on their amazon server???? Maybe restore system image backup to virtual machine, decrypt, then move. Yuck.
Hopefully these are the encryption keys..... and hopefully Eaglesoft knows how to read these files regardless of what computer they are on????? And if that is the case, doesn't that mean this encryption kind of... sucks? Let's say this IS AES256 bit encryption but the key is in the data folder. So if you copy the entire DATA folder to an unencrypted USB Drive... would you tell patients the data is encrypted IF in the end, it can be decrypted by figuring out how keyfile.cfg and keybackup.data work???? Maybe you need the license????? WHO KNOWS. Having documentation would be nice.
Sure would be nice to know HOW to decrypt the data.... I don't see it in TechAid. Maybe it is the "Copy DB and Log to C:\Hold".. Not really sure.
And let's say some people ONLY backup the DATA folder on the Eaglesoft Server to a USB Drive. Traditionally that was safe, but now I wonder. Without knowing the Machine Key is your data unreadable?
And the old encryption.. maybe wasn't that great.
https://pattersonsupport.custhelp.com/app/answers/detail/a_id/20069/~/encryption?
I am creating a test server and doing an Eaglesoft migration. Maybe I figure out how this works.