Performing Column-level Encryption Using IBConsole

Go Up to Encrypting a Database with IBConsole

With column-level encryption, only the data of the selected columns is encrypted. Also, with column-level encryption the database/table owner can specify GRANT/REVOKE access to certain roles, users, stored procedures, and triggers.

After enabling EUA, login as SYSDSO and take the following steps in IBConsole:

1. Right-click on the database that contains the columns you want to encrypt, and choose Set SEP.
2. On Set System Encryption Password, enter and confirm a password, then choose OK.
3. Select the Encryptions node, then right-click in the right pane and select Create.
4. In Encryption Editor complete the fields as desired and choose OK.
   • Name: Enter your name of the encryption key. You have an option to make this case sensitive or not.
   • Description: Enter a description to define your encryption key.
   • Cipher: Select from the drop-down list: None, AES, DES.
   • Key Length: Specifies the bit length of the encryption key. For DES it is always 56. For AES you can select from 128, 192, or 256, with 128 as the default value. The higher the bit length, the stronger the encryption.
   • Init Vector: Select NULL (the default) or RANDOM. This specifies the initialization vector.
   • Pad: Select NULL (the default) or RANDOM. Random provides stronger encryption.
   • Password and Confirm Password: Enter and confirm the password for this encryption key.
   • Grant Owner: This is selected by default. If this is not selected the key cannot be used until you GRANT permission to someone using the Grant Editor.
5. Disconnect from the database as SYSDSO, and reconnect as SYSDBA.
6. Select the Tables node, right-click the table that contains the columns that you want to encrypt, and select Properties.
7. Click and the Table Editor opens.
8. Select the name of the column to encrypt, and click Edit Field.
9. In Field Property Editor, complete the following information, and click OK.
   • Name: Where the name of the column is entered or changed.
   • Field Kind: Select the kind of column to create. Once you make a selection three options are available:

   • Domain: You have two options: (1) Select Domain where you select an existing domain to be used with the column; or (2) New Domain which opens the Domain Editor to create a new domain to be used with the column.
   • Data Type: You can open the Data Type Editor to create or alter the Data Type definition for the column.
   • Computed By: This field is only visible when created a Computed By column. Computed By columns cannot be altered.

   • Domain: Displays the domain name if the column definition is based on a domain.
   • Data Type: The data type definition is displayed, whether it is based on a domain or created manually.
   • Default: This field is only enabled when creating a column that is not Computed By.
   • Not Null: When checked the column cannot have null values. This is only enabled when creating a column definition.
   • Encryption: The column is encrypted with the selected encryption key. If “none” is selected the column will decrypt.
   • Decrypt Default: This value is displayed to users who are not granted permission to see or alter the data in the column. If no “Decrypt default: is specified, IBConsole hides the column when a user without rights displays the data in the table.
10. Choose OK again on the Table Editor. The column you selected is encrypted using the encryption level you specified.

Advance To:

• Backup and Restore an Encrypted Database