You should describe threat case in more detail:
persistant RO/RW tables ?
or only tables/cursors created on the fly ?
OS protection possible ?
OS encryption possible ?
How easy is it to fudge with the vfp app ?
compiled exe ?
at least in secure area ?

>I am using a utility in Rick Strahl's classes to encrypt data strings. Works fine. The utility eventually calls .Net encryption routines.

Have not worked with those. Company used a product encrypting some fields on disc - looked nice from the outside. As decrypt hooked directly into data engine, any backdoor code added could access the whole open table and export to SDF with a single line ;-))

But that threat is also available if you are hooked into a solid SQL encrypted and secured backend. Depending on # of users and their data needs employing restrictions in the amount of data they CAN query might not avoid all data loss, but limit it to small batches if breached.
>
>My question is: what would a person need for tools to be able to get the key for the encryption? My key is made up of a long "base" and then for each record in a table, it is unique. Of course, this key gets assembled right before each call into one string.
>
>Is there a way to capture this key even if it is in memory as a var just long enough to call the encryption/decryption routine? If so, what tool would do that? And does the hacker need my source code in order to step through the code to stop on the line that assembles the key? Or can someone just capture every line as it executes and look at the results with some low level debugger?
>
If you have a bad apple inside your apps domain with a copy of vfp it is a matter of minutes to get the debugger working inside the exe code even if they did not invest in Refox. If there is enough reward to hack at all, he will copy the exe, spend the few $ to refox your exe, analyze at home, patch and replace are worth in in saved H alone.

my 0.022
thomas