Database Encryption - dbutil changes ==================================== Rev. 2010-06-15 / DRAFT Backwards Compatibility ----------------------- Configuring and using item encryption requires an internal database catalog table "syskey" that did not exist in previous versions of Eloquence. For databases created on older Eloquence versions, it is necessary to upgrade the catalog tables with the "upgrade database" command in dbutil before using encryption. Encrypted databases are not compatible to previous Eloquence versions. Attempting to access data or an index that holds encrypted data with a previous Eloquence version is likely to result in a server abort or corrupted data. When encrypting data, the record size and layout differs and previous Eloquence versions are currently not able to detect this. Recent patch levels of Eloquence B.08.00 and B.07.10 were improved to detect encrypted databases and refuse to open them. Databases are fully compatible to with previous versions when no encryption is used. Encryption overhead ------------------- Using data encryption changes the record size and layout. To minimize the encryption overhead, all encrypted fields are grouped together. As encryption uses a block size of 16 bytes the combined size of all encrypted fields is enlarged to be a multiple of 16 bytes. In addition, 4 bytes are used to record the id of the encryption key used to encrypt the data. This allows to use multiple generations of encryption keys. In addition, another 4 bytes are used to maintain an individual initialization value for this record ("salt") to ensure encrypted data have a different binary representation for identical values. Consequently, using encrypted data will add an overhead of 8 to 22 bytes per record, depending on the record layout. Enabling encryption requires additional CPU resources, depending on the amount of encrypted items and the frequency records holding encrypted data are accessed. In our testing we encountered about 20% additional CPU resources required in a benchmark when encrypting the entire database. dbutil script syntax -------------------- All commands below are only valid inside a database context: DATABASE "example"; The following command upgrades the database catalog for databases created on older Eloquence versions (see "Compatibility" above): UPGRADE DATABASE; To use encryption a data encryption key must be generated for the database. As data encryption keys are encrypted with a master key a master key must be uploaded to the server before creating a new encryption key. The following command is used to create a data encryption key: CREATE ENCRYPTION KEY [ ("type") ] USING [MASTER KEY] "master key"; Type specifies the data encryption algorithm associated with this key. The default encryption algorithm is AES. Supported encryption types are: - AES - AES 128 bit - AES128 - AES 128 bit - AES256 - AES 256 bit The master key argument specifies the checksum of the master key that is used to encrypt the data encryption key. The master key must have been submitted to the server before. The keywords "MASTER KEY" are optional and may be omitted. For example: CREATE ENCRYPTION KEY("AES256") USING MASTER KEY "330d6de453136a93fd99c1638fd645fd"; This creates a new data encryption key with the encryption algorithm AES256 and assigns it to a master key. The following command may be used to remove data encryption keys if the database does not use encrypted information. DELETE ALL ENCRYPTION KEYS; Please notice that this must be performed in a separate session to removing encrpytion from a database. A data encryption key may be transferred to a new master key. This may be used if the master keys are replaced. To succeed, both the previous and the new master keys need to be present in the server. The following command may be used to assign all data encryption keys of a database to the designated master key: CHANGE ALL ENCRYPTION KEYS USING [MASTER KEY] ""; The master key argument specifies the checksum of the master key that is used to encrypt the data encryption key. The keywords "MASTER KEY" are optional and may be omitted. The following command may be used to assign a single data encryption key to the specified master key: CHANGE ENCRYPTION KEY id USING [MASTER KEY] "master key"; The id argument specifies the data encryption key id that may be obtained with dbdumpcat. The master key argument specifies the checksum of the master key that is used to encrypt the data encryption key. The keywords "MASTER KEY" are optional and may be omitted. For example: CHANGE ENCRYPTION KEY 2 USING MASTER KEY "330d6de453136a93fd99c1638fd645fd"; This updates the data encryption key with the id 2 to be encrypted with the specified master key. The commands below may be used to designate a field as encrypted or unencrypted: CHANGE ITEM [IN ] SET ENCRYPTED; CHANGE ITEM [IN ] UNSET ENCRYPTED; The item-name argument specifies the item. The set-name argument specifies the name of a data set. If no data set is specified, the item is changed in all data sets. If a data set is specified, the field is only changed in this data set. Please note: encryption status is maintained for each field (item in a data set). When adding a field to a data set, it defaults to unencrypted. The following commands may be used to designate all fields in a data set as encrypted or unencrypted: CHANGE SET SET ENCRYPTED; CHANGE SET UNSET ENCRYPTED; The set-name argument specifies a set name. Then all items in this set are changed accordingly. The SET or UNSET ENCRYPTED may also be used in a change set context (enclosed in brackets). For example: CHANGE SET customers { UNSET ENCRYPTED; CHANGE ITEM turnover SET ENCRYPTED; } This would mark all fields in the customers record as unencrypted and then change the turnover field to be maintained in encrypted form. Operator user property ---------------------- Database accounts may be designated to have "operator" capabilities. This may be used to indicate user accounts permitted to perform operational tasks (such as performing backups). This allows a more restrictive policy to use administrative database accounts. The OPERATOR keyword may be used with the CREATE USER or CHANGE USER statements. For example: CHANGE USER "mike" PRIVILEGES CONNECT,OPERATOR; Change set type --------------- The CHANGE SET TYPE clause may be used to change set type between automatic and manual master. It only applies to manual and automatic master sets. For example: CHANGE SET "auto" TYPE AUTOMATIC; Change path definition ---------------------- The CHANGE PATH clause may be used to change an existing path in a detail set. Currently, only the sort item definition may be changed. For example: CHANGE SET "orders" CHANGE PATH (orderid);