Database Encryption

> Wondering if Informxi 10 supports any type of data encryption natively?
> If so, what are the types (column level, table level etc..) and what are
> some of the caveats assocaited with it's use?

I know that 10.x supports column level encryption, since we use it.
http://publib.boulder.ibm.com/infoce...c/admin216.htm

Tam OShanter said:
> Hello All,
> Wondering if Informxi 10 supports any type of data encryption natively?

Yes

> If so, what are the types (column level, table level etc..) and what are

Column level and communications.

> some of the caveats assocaited with it's use?

Sucky performance.

--
Bye now,
Obnoxio

"... no bill is required as no value was provided."
-- Christine Normile

Adam Tauno Williams wrote:
> > Wondering if Informxi 10 supports any type of data encryption natively?
> > If so, what are the types (column level, table level etc..) and what are
> > some of the caveats assocaited with it's use?
>
> I know that 10.x supports column level encryption, since we use it.
> http://publib.boulder.ibm.com/infoce...c/admin216.htm

How does Informix handle the encryption keys? It doesn't appear that
you have any control over the key that it uses for encrypting the data.
Are they just generated internally?

The only reason that I'm curious about this is because one of the
current PCI (VISA) requirements is for key rotation. Is anyone using
Informix encryption for PCI requirements and if so, have the auditors
blessed the solution?

--
Chris

On Fri, 2006-06-30 at 08:11 -0700, Chris S wrote:
> Adam Tauno Williams wrote:
> > > Wondering if Informxi 10 supports any type of data encryption natively?
> > > If so, what are the types (column level, table level etc..) and what are
> > > some of the caveats assocaited with it's use?
> > I know that 10.x supports column level encryption, since we use it.
> > http://publib.boulder.ibm.com/infoce...c/admin216.htm
> How does Informix handle the encryption keys? It doesn't appear that
> you have any control over the key that it uses for encrypting the data.
> Are they just generated internally?

I don't follow; you explicitly provide the key.

set encryption password "one two three 123";
insert into emp values ("Bob", 65000, encrypt_aes('213-656-0890'));
select name,salary,decrypt_char(ssn, "one two three 123")
from emp

Do you mean does it care if you use a crappy key? It doesn't seem to.

> The only reason that I'm curious about this is because one of the
> current PCI (VISA) requirements is for key rotation. Is anyone using
> Informix encryption for PCI requirements and if so, have the auditors
> blessed the solution?

I personally haven't seen any auditors, but key rotation is no big
deal.

set encryption password "new key";
update emp
set ssn = encrypt_aes(decrypt_char(ssn, "old key"))
where....

In our case the application uses the user's credentials to acquire a/the
key from a key repository, and then connects to the database with the
user's credentials and uses the acquired key to get or update data in
the database. The key never leaves the processes memory (and the
process forgets it after using it) or the VLAN between the application
host, the database server, and the key server.

Adam Tauno Williams wrote:
>
> In our case the application uses the user's credentials to acquire a/the
> key from a key repository, and then connects to the database with the
> user's credentials and uses the acquired key to get or update data in
> the database. The key never leaves the processes memory (and the
> process forgets it after using it) or the VLAN between the application
> host, the database server, and the key server.

I guess I mis-stated what I really wanted to know. I was more
questioning a key management system. Sounds like you have an external
key management system because Informix does not provide that
functionality.

Did you develop your own key management system or did you buy one (if I
may ask)?

--
Chris

> > In our case the application uses the user's credentials to acquire a/the
> > key from a key repository, and then connects to the database with the
> > user's credentials and uses the acquired key to get or update data in
> > the database. The key never leaves the processes memory (and the
> > process forgets it after using it) or the VLAN between the application
> > host, the database server, and the key server.
> I guess I mis-stated what I really wanted to know. I was more
> questioning a key management system. Sounds like you have an external
> key management system because Informix does not provide that
> functionality.

Ah. Nope, Informix doesn't provide any key management. Which was good
by us, we wanted the key acquisition to be an entirely separate system.

> Did you develop your own key management system or did you buy one (if I
> may ask)?

"key management server" may be a misnomer. We use an LDAP server to
store the keys. LDAP servers, typically, have very robust/flexible
access control rules. You can specify for who, from where, when, at
what minimum connection encryption/trust level access to a particular
value will be provided.

Gentlemen,

Is there someone using Prime (Card Management System from TSYS) with an Informix database engine. I am trying to find out if column level encryption available in Informix 10.x does work with the Prime application. If not then what other encryption capabilities can I deploy on Informix 10.x. My understanding is that IBM Database Encryption Expert does not support informix 10.x. Please share your experience Gents?

Ciao