Field Encryption Support via Key Ring

In this release the system supports defining key rings for symmetric encryption keys and hash keys for application field encryption. Previously the system only supported application field encryption using keys defined in the keystore.

The following points highlight functionality provided by this feature.

• A key ring business object is provided for defining AES symmetric keys to use for field encryption.  
• A key ring business object is provided for defining HMAC hash keys to use for hashing values for search purposes.
• The Field Encryption feature configuration option now supports mnemonics for referencing a key ring and a hash key ring instead of an alias key and a hash alias key.
• A new batch control is provided to encrypt all the data configured to be encrypted for a given maintenance object. This batch control is used for initially encrypt data as well as to manage key rotation.

Using key rings to define encryption and hash keys allows for more streamlined cryptography key definition for application encryption. In addition, the system supports key rotation.

Steps to Enable

Provide the required access before using the feature. Details are in the Access #Requirements section.

Tips And Considerations

Implementations that currently use encryption keys defined in a keystore can move to using key rings for defining the encryption keys.

Key Resources

• Refer to the Application Security, Managing Encrypted Data, and Field Encryption sections in the Framework Administrative User Guide for more information.

Access Requirements

System administrators should grant users access to the application service F1-FIELDENCRYPTBOAS, with appropriate access modes to maintain key rings for the new key ring use cases. Administrators should grant users access to the application service F1-FLENC, with the Execute access mode for uses that need to submit the batch job to mass encrypt, re-encrypt data.