Creating Encryption Keys
Go Up to Using isql to Enable and Implement Encryption
The SYSDSO uses the CREATE ENCRYPTION command to create encryption keys. An encryption key is used to encrypt the pages and/or columns of a database. The database owner uses an encryption key to perform encryption on a specific database or column. InterBase stores encryption keys in the RDB$ENCRYPTIONS system table.
The following statement provides an example of a simple CREATE ENCRYPTION statement:
CREATE ENCRYPTION payroll_key for AES
where CREATE ENCRYPTION is the command, and “payroll_key” is the name of the key created. Thus, the basic syntax for creating an encryption key is:
CREATE ENCRYPTION key-name for AES | for DES
To create an encryption key using all of the available isql statement options, use the following syntax:
CREATE ENCRYPTION key-name [as default] [for {AES| DES}] [with length number-of-bits [bits]] [password {'user-password' | system encryption password}] [init_vector {NULL | random}] [pad {NULL | random}] [description ‘some user description’]
For example:
CREATE ENCRYPTION revenue_key FOR AES WITH LENGTH 192 BITS INIT_VECTOR RANDOM
See the following table for a description of each encryption key option:
| Option | Description |
|---|---|
|
Key name |
Identifies the encryption key by a unique name. |
|
Default |
This key is used as the database default when no explicit key is named for database or column encryption. |
|
AES |
Advanced Encryption Standard algorithm. This encryption scheme is considered strong and requires an InterBase license. |
|
DES |
Data Encryption Standard algorithm. This is a weak encryption scheme that requires no special license. |
|
Length |
Specifies key length. If using DES, 56 bits is the default. If using AES, you can specify 128, 192, or 256 bits. For AES, 128 is the default. |
|
Password |
Available only for column encryption keys. Associating a custom password with an encryption key provides an additional layer of protection. For more information about associating a custom password with an encryption key, see Setting a User-defined Password for an Encryption Key. |
|
Init-vector |
Random enables Cipher Block Chaining (CBC) encryption technique so that equal values have different ciphertext. If NULL is specified, then Electronic Cookbook (ECB) is used. NULL is the default value. |
|
Pad |
Random padding can cause equal values to have different ciphertext. NULL specifies that random padding should not occur. NULL is the default value. |
|
Description |
A user-level comment that describes the purpose of the encryption. |
A random initialization vector or random padding prevents an encrypted column from being used in an index, and raises an error if a create index DDL statement tries to do so. The NULL defaults for both of these options favor index-enabled access optimization over a more stringent level of protection afforded by the random counterparts.
Setting a User-defined Password for an Encryption Key
As noted in the table above, you can assign each column encryption key a custom password, which adds an additional level of protection for your data. When you associate a password with a column encryption key, you must give it to the database owner or the table owner so that s/he can use the key to encrypt the column. You must also give it to any end users who need to change or view the values in the encrypted column.
If an encryption key was defined with a user-defined password, then users must set the password during a database session before accessing columns that have been encrypted with the key:
The System Encryption Password (SEP) is the default if no PASSWORD clause is provided to CREATE ENCRYPTION.
set password '<user-password>' for {encryption <encryption_name> | column <table.column_name>}
Assuming the same user also has decrypt and access permissions on the column, he or she can now access all columns encrypted by that key.
Dropping an Encryption Key
An encryption key can be dropped (deleted) from the database. Only the SYSDSO can execute this command. The command will fail if the encryption key is still being used to encrypt the database or any table columns when “restrict” is specified, which is the default drop behavior. If “cascade” is specified, then all columns using that encryption are decrypted and the encryption is dropped.
To drop an encryption key, use the following syntax:
key-name [restrict | cascade]