I am planning to encrypt my table column data with DB2 provided encryption functions. In this case the suggested option was to use DB2 ENCRYPT Scalar function. However, IBM documentation suggests this function is deprecated. Also, it uses RC2 block cipher algorithm which is considered weak.
Kindly suggest any alternate function for the same, which can be used to encrypt the data.
I tried to search the alternative for the same but couldn't find much help.
You seem to be referring to Db2 11.5 and its ENCRYPT function. Db2 offers built-in native encryption. It encrypts data at rest and the scope is the database. It is the recommended way if you want to use an encryption offered by the product itself. The documentation has an overview for data encryption, discussing all available options for data at rest and data in transit.
If you only want to encrypt single values, you could also implement your own scalar function (as UDF).
Related
I like to implement a secure signed token with some data for usage across multiple backend services.
Evaluating the possibilities it looks like the Ring-Library is already one of my project dependencies due to a higer level dependency (warp).
So I thought I could use ring for my purpose too, can I?
Unfortunately I was unable to find any up to date example how to use ring to encrypt and decrypt data with a pre shared key (or SSL-Certificate). All examples I found were outdated. And I was unable to use the documentation of ring to figure out the correct approach by myself.
Can anyone provide a very simple example how to use ring in ^0.16 to encrypt and decrypt data with a pre shared key and/or SSL-Certificate (generated by open-ssl for example)?
Or do you rather think I should not use ring, but another library for my purpose?
I have been tasked with finding a solution to encrypting DB2 table data while at rest (DAR)
My environments:
Note: all environments using SSL to encrypt DB2 data while in transit
1) I have two z/os environments with two tables in scope. My client request a specific column have its data encrypted while at reset.
-- One of the tables utilizes SQL replication and is not only dependent on two z/os environments but two DB2 z/linux based db2 instances and tables
2) DB2 LUW is deprecating DB2 table column encryption and advocating the use of Native database encryption.
Does anyone have any suggestions on how to encrypt DB2 data while at rest that is compatible between z/os and luw (In my case I am using z/linux). Ideally any solution would be transparent to applications.
As mentioned in comments, Db2 encryption is transparent to applications, including yours. Once data leaves "rest" (storage) it is decrypted, then re-encrypted when it comes to "rest" again.
Encryption implementation details are platform-specific. In your case the entire databases on z/Linux must be encrypted to protect your single column. Given that you are using SQL replication, no other changes are necessary.
You may look at the Row and column access control (RCAC) feature.
You may encrypt the column values for users which don't have an appropriate authorization, but allow to see actual values for others (including the replication user).
But column data on disk and in a backup are not encrypted with RCAC.
Use native encryption to encrypt entore database on disk. You don't have an ability to use native encryption just for particular columns and tables.
I agree with Mustaccio and Mark. Yet another possible choice is federation, i.e. you don't use replication at all but rather leave the data in their respective places and let the databases sort out data access for consumers, e.g. via DRDA or Data Virtualization Manager for z/OS.
I have a solr Cloud cluster, running on different machines, now the data which is indexed needs to be encrypted in such a way that it it stored in the encrypted format on the hard disk and when solr requires the for some queries or to be indexed it should be able to decrypt it do the operation and the data after operation is done should be stored in the encrypted form. I am ok in using amazon s3 if it solves the problem. I have searched and researched a lot but there is no relevant articles, if someone can give me nudge on some direction or how can i accomplish this it will be really great help.
There is no built-in support for encrypting indexes, but there are a few open issues with possible patches.
The most promising one is probably LUCENE-6966. If you want to implement it yourself, looking at writing a custom codec is probably the way to go.
If you don't want to deal with manual patching or writing code yourself, Hitachi has a ready-to-deploy solution for Solr and Lucene named Credeon.
To prevent the risk of a data breach from the search indices, Credeon SFS delivers searchable encryption technology which allows the search process to be carried out directly on encrypted data. Specifically, Credeon:
Encrypts the search indices
Uses a unique randomization process for encrypting each plaintext index
Searches through encrypted indices in real time
Returns search results without decrypting the indices
I am exploring options to implement encryption at rest for RocksDB data which I am using in one application (that is, I don't have to store the key in the data, I can calculate it in runtime). Ideally, it should be DES.
Are there easy plugins or libraries specifically for RocksDB, or I will have to improvise?
There is nothing that I know of. In terms of implementation you have a few options:
Handle the encryption in your app. Rocks doesn't care what you store in it, just that keys are comparable. So you just need to design a sensible key encoding.
You could use the StackableDB feature of Rocks to implement something between your app and Rocks to handle the encryption. You would still have to design a key encoding for your data.
Look at how compression is implemented in Rocks try to implement something at that level if appropriate
If an encryption function requires a key, how do you obfuscate the key in your source so that decompilation will not reveal the key and thereby enable decryption?
The answer to large extent depends on the platform and development tool, but in general there's no reliable solution. Encryption function is the point at which the key must be present in it's "natural" form. So all the hacker needs to do is to put the breakpoint there and dump the key. There's no need to even decompile anything. Consequently any obfuscation is only good for newbies or when debugging is not possible for whatever reason. Using the text string that exists in the application as the key is one of variants.
But the best approach is not to have the key inside, of course. Depending on your usage scenario you sometimes can use some system information (eg. smartphone's IMEI) as the key. In other cases you can generate the key when the application is installed and store that key as an integral part of your application data (eg. use column names of your DB as the key, or something similar).
Still, as said, all of this is tracked relatively easy when one can run the debugger.
There's one thing to counteract debugging -- offload decryption to third-party. This can be done by employing external cryptodevice (USB cryptotoken or smartcard) or by calling a web service to decrypt certain parts of information. Of course, there methods are also suitable only for a limited set of scenarios.
Encryption is built into the .NET configuration system. You can encrypt chunks of your app/web.config file, including where you store your private key.
http://www.dotnetprofessional.com/blog/post/2008/03/03/Encrypt-sections-of-WebConfig-or-AppConfig.aspx
source