Please Note:

Administration
Quick Start
Alternative installation methods
- Silent Installation
- Install CDP for DB2 on IBM DB2 pureScale
- Install CDP for DB2 on IBM PureData System for Transaction
- Install CDP using Chef Scripts
Tasks
- Encrypt a column
- Decrypt a column
- Re-encrypt data with new key
- Delete data after encryption or decryption
- Configure column-level encryption settings
- Delete views and triggers
- Altering encrypted tables
  - Add unencrypted column
  - Add column to encrypt
  - Delete decrypted column
  - Delete encrypted column
  - Resize unencrypted column
  - Resize an encrypted column
  - Grant/revoke table and column permissions
- View job history
- Recreate view and triggers
- Download keys from CipherTrust Manager
- Upgrade CDP
- Uninstall CDP
- Install Unrestricted JCE Policy Files
- Configure SSL connection
- Install Files for Client Certificate Authentication
Advanced Topics
- Planning Encryption
  - Standard Encryption
  - Format Preserving Encryption
- Encryption Flow
- Key caching
- Tables and Views
- Database objects
  - UDFs for Non-FPE
    - How to Call Direct DB2 UDFs for Non-FPE Algorithms
  - UDFs for FPE
    - How to Call Direct DB2 UDFs for FPE Algorithms
  - Stored Procedure
- Configuration Parameters
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Local Encryption Configuration Parameters
  - SSL Configuration Parameters
  - Logging Configuration Parameters
- User Mapping
- Error Replacement
Tips and Best Practices
Troubleshooting
FAQs

CDP for DB2
Administration
Advanced Topics
Planning Encryption
Standard Encryption

Standard Encryption

The standard encryption converts the plaintext to encrypted data without retaining the format of the plaintext.

Supported Algorithms for Standard Encryption

AES (key sizes of 128, 192, and 256 bits)
DES-EDE (key sizes of 128 and 192 bits)
SEED (key sizes of 128 bits)
ARIA (key sizes of 128, 192, and 256 bits)

It is recommended to use an 256 bit AES key or a 192 bit DES-EDE key, as these ciphers are stronger than the others.

The chosen encryption algorithm limits the size of the plaintext data that can be encrypted. Refer to Length of the Plaintext Column for details.

Applying Initialization Vectors

When using an algorithm in CBC mode, an Initialization Vector (IV) can be applied at the field–level or at the column–level. When applying IVs at the field–level, a unique IV is used for the encryption of each field. In this case, a new column is added to the table. When IV is applied at the column–level, there is only one IV per column, and that IV is stored in a separate metadata table.

It is preferable to apply IVs at the field–level if encrypting values that might be identical. For example, when encrypting names, if two people in the table have the same name, those names encrypt to the same value if the same IV is applied for both encrypt operations. If, however, a different IV is applied for the two encrypt operations, then the encrypt operations yield different results. Field-level encryption offers an even higher level of security because the IVs are different for every value being encrypted.

However, be aware that applying IVs at the field–level might cause a significant performance disadvantage when doing an exact search. When IVs are applied at the field–level, the search value can’t be encrypted, which means that all rows being searching through must be decrypted. When encrypting values that are unique, like credit card numbers or social security numbers, it is recommended that IVs are applied at the column–level.

Options for the IV field of the Column Properties section are as follows:

user-specified IV for column – Supply a single IV for an entire column.
random IV for column – The NAE Server provides one randomly generated IV that is used to encrypt all values in a column.
random IV for each field – The NAE Server provides a randomly generated IV for each value in a column. With this option, the Key Manager adds a column for the IV to the base table.

Padding

The CipherTrust Manager automatically selects a padding scheme before data is migrated. One of two methods are used:

PKCS#5 Padding – This scheme is almost always used when encrypting with symmetric keys (AES, DES-EDE, and ARIA).
No Padding – This scheme is used when the column’s data type is CHAR or CHARACTER and the column’s original width is an exact multiple of the encryption block size.

Replacement Values

If a database user attempts to access encrypted data to which they do not have decryption permission, the system returns an error message. The content of those permission-related errors can be specified using the replacement values feature. Refer to Error Replacement for details. Use the Decryption Behavior for Users with Insufficient Permissions field on the Column Properties section to specify that the system return a specific value, a null value, or the original standard error.

Replacement vales are not returned if a query yields a NULL value. When a query results in a NULL value, no cryptographic process is required, so SafeNet ProtectDB does not interact with the NAE Server and the replacement values feature is not activated.
After setting up the error replacement value, views and triggers must be recreated for the changes to take effect.

Space Requirements Considerations

Consider the following things when allotting space for an encrypted solution:

Algorithm to use to encrypt data
Whether to use field–level or column–level IVs
Whether the table needs an identity column

Suggest A Change

Standard Encryption

Supported Algorithms for Standard Encryption

Applying Initialization Vectors

Padding

Replacement Values

Space Requirements Considerations

On this page