Configuration of Encrypted Fields
To define a field to encrypt an option must be added with the following attributes:
• Option Type should be set to Field Encryption.
• Sequence should be an appropriate sequence number. Typically, this is a number that is not used already. Higher number values override lower level sequences.
• In the value you need to specify the specification of the encryption in the format of a command string.
table | Table Name. Table must exist in meta data. | table="SC_USER" |
field | Field to encrypt. Field must exist in metadata. | field="FIRST_NAME" |
alias | Keystore alias to use to encrypt the data | alias="ouaf.system" |
where | Filter for data. Useful for child tables to determine specific values to encrypt | where="ID_TYPE_CD='SSN'" |
wrap | Whether the value should wrapper with the ENC() marker. [true|false] | wrap=false |
maskAlg | If the field is also to be masked, then the algorithm to mask the data. | maskAlg="CMCCR" |
maskField | If the field is also to be masked, then the field to use as the mask | maskField="CNBR_MASK" |
hashAlias | If the field should be hashed, then the alias in the keystore to use | hashAlias="ouaf.hmac.system" |
hashField | If the field should be hashed, then the field to use as the hash value | hashField="CNBR_HASH" |
encryptedField | If the output from the encryption is to be stored on another field in the table, specify the field name. | encryptedField="PK_VAL2" |
For example:
table="F1_ATTACHMENT",field="PK_VAL5",alias="ouaf.system",encryptedField="PK_VAL2",hashAlias='HmacSHA256-1024',hashField="PK_VAL3", where="PK_VAL1='Encrypted'"
There are a few guidelines when using this facility:
• The aliases specified in alias and/or hashAlias must exist in the keystore used for the product.
• Fields to be encrypted must be in string format only. Other field formats are not supported.
• If using a higher level of encryption may increase the storage requirements for a field. If this is the case, adding an encryptedField to hold the larger encrypted value.
• The wrap field should be set to false unless additional processing in your code is included to handle the special marker. Product fields should use wrap=false. Wrapping an encrypted value can be useful in knowing whether a specific data is encrypted in cases where only some data on the table is encrypted.
• Ad-hoc characteristics cannot be specified in the WHERE tag.
• Hashing the value is handy for additional verification and indexing values.
Note: If encryption is added or changed, the F1-ENCRS and/or F1-ENCRT must be executed to reflect the changes.