01 - Programming (EN)01e - Programming miscellanea (EN)04f - Security

Safe sources with the debug encryption key

For companies that distribute and install their software on customer’s systems, it is obviously not advisable to leave their sources “unattended” on those systems.
But even without installing the sources, a “smart” user could access the code by simply starting a debug session for programs compiled with the DBGVIEW (*SOURCE / *LIST / *ALL) options, which embed source into the program object. On the other hand, compiling programs without this option complicates debugging operations (which inevitably happen sooner or later …).
Since 7.1, IBM has made available a new option on all ILE program and module compile commands; the Debug encryption key (DBGENCKEY) parameter allows you to specify a source encoding key, a sort of “password” that allows you to distribute perfectly debuggable programs without allowing others access the source code (unless you know the encryption key).
Let’s compile a program specifying this option:

                Create SQL ILE RPG Object (CRTSQLRPGI)              

Type choices, press Enter.    

Print file . . . . . . . . . . .   QSYSPRT       Name                          
  Library  . . . . . . . . . . .     *LIBL       Name, *LIBL, *CURLIB          
Debugging view . . . . . . . . .   *source       *NONE, *SOURCE                
Debug encryption key . . . . . .   DeBuGKey                                    
User profile . . . . . . . . . .   *NAMING       *NAMING, *USER, *OWNER        
Dynamic user profile . . . . . .   *USER         *USER, *OWNER                 
Sort sequence  . . . . . . . . .   *JOB          Name, *JOB, *HEX, *JOBRUN...  

Like all passwords, the debug encryption key is also case-sensitive.
To “cheat” the debugger we now rename the source; otherwise, since the program was compiled on the same system and the source exists, the debug session would normally start with the source view.

RNMM FILE(MDUCA1/QRPGLESRC) MBR(TESTR06) NEWMBR(TESTR06$)

Starting the debug session for this program, the encryption key is required:

                      Enter Decryption Key      

Source file  . . :   QCLSRC           Module . . . . . :   TESTR06          

Source library . :   MDUCA1           Library  . . . . :   MDUCA1         
                                                                              
Source member  . :   TESTR06                              
                                                                                              
Current View:   ILE RPG Listing View                    
                                                                                                
Type Decryption Key, press enter.                                    
                                                                                   
                                                                  Bottom    
F3=Exit   F12=Cancel   

If you do not enter the key, you are only allowed to a “blind” debug…

                        Display Module Source             

Program:   TESTR06        Library:   MDUCA1         Module:   TESTR06                                                                               

  (Source not available.)                                                 

The request screen allows a maximum of three attempts to enter the key, after three errors the key is no longer required and you enter directly in “blind” debug mode.
Thanks to this feature, you can safely start local or remote debugging sessions without risking that someone could snoop in your code.

About author

Senior IBM i Analyst/Developer and technical writer. Former collaborator of the Italian edition of "System i News" magazine and author of several publications about tools and development practices for the IBM i platform.

Leave a Reply

%d bloggers like this: