Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Administration
Release Notes

All

All

Advanced Topics

Encryption Flow

Please Note:

Administration
Quick Start
Alternative installation methods
- Silent Installation
- Install CDP for DB2 on IBM DB2 pureScale
- Install CDP for DB2 on IBM PureData System for Transaction
- Install CDP using Chef Scripts
Tasks
- Encrypt a column
- Decrypt a column
- Re-encrypt data with new key
- Delete data after encryption or decryption
- Configure column-level encryption settings
- Delete views and triggers
- Altering encrypted tables
  - Add unencrypted column
  - Add column to encrypt
  - Delete decrypted column
  - Delete encrypted column
  - Resize unencrypted column
  - Resize an encrypted column
  - Grant/revoke table and column permissions
- View job history
- Recreate view and triggers
- Download keys from CipherTrust Manager
- Upgrade CDP
- Uninstall CDP
- Install Unrestricted JCE Policy Files
- Configure SSL connection
- Install Files for Client Certificate Authentication
Advanced Topics
- Planning Encryption
  - Standard Encryption
  - Format Preserving Encryption
- Encryption Flow
- Key caching
- Tables and Views
- Database objects
  - UDFs for Non-FPE
    - How to Call Direct DB2 UDFs for Non-FPE Algorithms
  - UDFs for FPE
    - How to Call Direct DB2 UDFs for FPE Algorithms
  - Stored Procedure
- Configuration Parameters
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Local Encryption Configuration Parameters
  - SSL Configuration Parameters
  - Logging Configuration Parameters
- User Mapping
- Error Replacement
Tips and Best Practices
Troubleshooting
FAQs

CDP for DB2
Administration
Advanced Topics
Encryption Flow

Encryption Flow

Encrypting a column involves following phases:

Pre-encryption phase

In this phase, the system:

Adds an empty column (column_NEW) to hold encrypted values to the base table.
Adds a column (ING_ROW_ID) and fills unique value for each row in this column.
Note
This step could take several minutes depending on the number of rows in the table.
Adds an empty column (column_IV) to hold initialization vectors to the base table, if applying IVs at the field level.
Creates views to select data from the table.
Creates triggers to insert and update data in the table.

Encryption phase

In this phase, the system:

CipherTrust Manager or pdbctl utility converts column plaintext value to ciphertext.
Returns encrypted values to the column_NEW column in the base table.
If the column-level IV is applied, then sets the initialization vectors to the column_IV column.

After the encrypted data is returned to the base table, the pdbctl utility creates the views and triggers that will automate future encryption and decryption operations. These views and triggers use stored procedures to interact with the SafeNet KeySecure behind the scenes to perform cryptographic operations on the base table without explicit instructions from the database user. Authenticated applications outside the database can query and update the tables as before, without any modification.

On this page

CDP for DB2

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Support Contacts
- Text Conventions
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com