Encrypting Blob Columns
Blob columns can be encrypted like any other column data type. However, due to their large size, blob encryption can be time-consuming. Typically, a large blob is created before its creator knows which column it will belong to. If the final column destination is encrypted, then the unencrypted blob will need to be re-read and encrypted with the column’s encryption key.
To avoid blob re-encryption overhead, two blob parameter items have been added, and can be passed to isc_blob_create2() to indicate the column to which the blob will be assigned. The items isc_bpb_target_relation_name and isc_bpb_target_field_name denote the column to which the blob will be assigned by the developer. These items are passed via the blob parameter block in the same way that blob filter and character set blob parameter items are sent. The blob parameter byte string includes the following:
- The blob parameter;
- One “length” byte; and
- “Length” bytes for the target name.
isc_blob_gen_bpb() and isc_blob_gen_bpb2() can generate these new blob parameter items if the target blob descriptor argument has both blob_desc_relation_name and blob_desc_field_name string members.
If a blob ID is assigned between two columns with different encryptions, the blob assigned to the destination column is automatically translated between the two encryptions. This means that the source blob is decrypted internally to plaintext and the destination blob is encrypted with the new ciphertext.
The workaround described here also pertains to special cases in which one of the blobs is not encrypted. If an encrypted blob ID is assigned to a blob column with no encryption, the assignment is allowed but a warning error is returned.