[quote author="fluca1978" date="1316768049"]I don't agree with this statement. While there is sensible data that must be always encrypted, like the user password or alike, not all the data can and must be encrypted.[/quote]
Not all data concerning the application has to be encryted - but all data concerning the software protection has to (no exceptions), independent of its location (memory or disk). That's what we are talking about here, aren't we? ;-)
Unencrytped (or non obfuscated data) is extremely easy to spot, especially if the structure is known (for date strings, SYSTEMTIME structures or QDateTime objects). And as soon as I have found out where in memory or on disk your software protection data resides it is again extremely easy to change it if it is not encrypted or signed.
[quote author="fluca1978" date="1316768049"]... if you don't trust your operating system at all then maybe you should not develop a desktop application.[/quote]
It's all about domains here. The application domain is something I do control, the operating system domain is something that I do not control. I cannot influence or foresee what happens to data as soon as it passes the domain border.
If I pass any unecrypted data (for example the installation date) to the operating system it can be tapped and modified easily. All the attacker has to do is to install a simple hook. If the data is encrypted inside the (well defended) application the attack has to break into the application first and then deal with the encryption. That's a huge difference. And that's the difference between cracked and non-cracked software.
You cannot trust something you do not control.
[quote author="fluca1978" date="1316768049"]Beside the cpu time spent to do the encryption/verification,...[/quote]
That's a non-issue. When doing disk-to-memory encryption/decryption the disk will always be the bottleneck, when doing memory-to-memory encryption/decryption using the right algorithm it is measurable at best, but usually not noticeable - especially when encryption/decryption is done in hardware (Intel Westmere and AMD Bulldozer upwards, increasing number of SoCs).
[quote author="fluca1978" date="1316768049"]Until you are developing an application for the FBI, retrieving an encrypted item price from a database in an intranet environment is too much. Set up an SSL to the database instead, or use a VPN, or something else. [/quote]
If we buy into statistics up to 80% of the attacks on the IT infrastructure are done by people inside the company. So if you are handling business critical data (internal price lists are business critical data) or individual-related data you are (legally) obligated to protect them. We have had an "example":http://www.rechargenews.com/energy/wind/article278112.ece recently what a single person can do to a multi-million dollar company.