All the information related to keys and encryption is encapsulated by the create encryption key, which allows you to specify the key’s name, the encryption algorithm, the key size, the key’s default property, as well as whether an initialization vector or padding is used during the encryption process. See below for the create encryption key syntax.
Column encryption in Adaptive Server uses the Advanced Encryption Standard (AES) symmetric key encryption algorithm, with available key sizes of 128, 192, and 256 bits. Random-key generation and cryptographic functionality is provided by the Security Builder Crypto API.
You can create separate keys for each encrypted column. Keys can be shared between columns, but each column can have only one key.
The System Security Officer can set up a default encryption key for the database. The default key is used whenever the encrypt qualifier is used without a key name on create table, alter table, and select into. For more information, see “Syntax for create encryption”.
To securely protect key values, Adaptive Server uses the system encryption password to generate a 128-bit key-encrypting key, which in turn is used to encrypt the newly created key (this is the column entryption key.) The column-encryption key is stored in encrypted form in the sysencryptkeys system table.
Figure 2: Encrypting user keys
The syntax for create encryption key is:
create encryption key keyname [as default] for algorithm [with [keylength num_bits] [init_vector [null | random]] [pad [null | random]]]
where:
keyname – must be unique in the user’s table, view, and procedure name space in the current database.
as default – allows the System Security Officer to create a database default key for encryption. This enables the table creator to specify encryption without using a keyname on create table, alter table and select into. Adaptive Server uses the default key from the same database. The default key may be changed. See “alter encryption key”.
algorithm – Advanced Encryption Standard (AES) is the only algorithm supported. AES supports key sizes of 128, 192, and 256 bits, and a block size of 16 bytes. The block size is the number of bytes in an encrytion unit. Data that is larger is subdivided for encryption.
keylength num_bits – the size, in bits, of the key to be created. For AES, valid key lengths are 128, 192, and 256 bits. The default keylength is 128 bits.
init_vector
random – specifies use of an initialization vector during encryption. When an initialization vector is used by the encryption algorithm, the ciphertext of two identical pieces of plaintext are different, which prevents detection of data patterns. Using an initialization vector can add to the security of your data.
However, initialization vectors have some performance implications. You can create indexes and optimize joins and searches only on columns where the encryption key does not specify an initialization vector. See “Performance considerations”.
null – omits the use of an initialization vector when encrypting. This makes the column suitable for supporting an index.
The default is to use an initialization vector, that is, init_vector random. Use of an initialization vector implies using a cipher block chaining (CBC) mode of encryption (where each block of data is combined with the previous block before encryption, with the first block being combined with the initialization vector).
Setting init_vector null implies the electronic code book (ECB) mode, where each block of data is encrypted independently.
To encrypt one column using an initialization vector and another column without using an initialization vector, create two separate keys–one that specifies use of an initialization vector and another that specifies no initialization vector.
pad
null – is the default. It omits random padding of data.
You cannot use padding if the column must support an index.
random – data is automatically padded with random bytes before encryption. You can use padding instead of an initialization vector to randomize the ciphertext. Padding is suitable only for columns whose plaintext length is less than half the block length. For the AES algorithm the block length is 16 bytes.
This example specifies a 256-bit key called “safe_key” as the database default key:
create encryption key safe_key as default for AES with keylength 256
Only the System Security Officer can create a default key.
This creates a 128-bit key called “salary_key” for encrypting columns using random padding:
create encryption key salary_key for AES with init_vector null pad random
This creates a 192-bit key named “mykey” for encrypting columns using an initialization vector:
create encryption key mykey for AES with keylength 192 init_vector random
The System Security Officer has default permission to create encryption keys and may grant that permission to other users.
For example:
grant create encryption key to key_admin_role
