473,222 Members | 1,756 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,222 software developers and data experts.

Encryption and key management best practices


I am using column-level encryption (ENCRYPT_CHAR, DECRYPT_CHAR) to
protect selected columns in DB2 LUW v.9.1 and v.9.5 on Linux. The
ultimate goal is to support the requirements put forward in Payment
Card Industry Data Security Standard (PCI DSS) which states: "Protect
stored cardholder data anywhere it is stored".

The encryption functions above requires a password to be set for each
db2 session (SET ENCRYPTION PASSWORD = '836b56319d9'). This implies
that the password must be provided by the client program accessing
db2.

I seek advice as how to store, use and manage such passwords ("keys")
securely and according to best practices.

https://www.pcisecuritystandards.org/
http://en.wikipedia.org/wiki/PCI_DSS

--

Nov 13 '07 #1
2 6452
On Nov 13, 2:37 pm, olafinsbraa...@hotmail.com wrote:
I am using column-level encryption (ENCRYPT_CHAR, DECRYPT_CHAR) to
protect selected columns in DB2 LUW v.9.1 and v.9.5 on Linux. The
ultimate goal is to support the requirements put forward in Payment
Card Industry Data Security Standard (PCI DSS) which states: "Protect
stored cardholder data anywhere it is stored".

The encryption functions above requires a password to be set for each
db2 session (SET ENCRYPTION PASSWORD = '836b56319d9'). This implies
that the password must be provided by the client program accessing
db2.

I seek advice as how to store, use and manage such passwords ("keys")
securely and according to best practices.

https://www.pcisecuritystandards.org...g/wiki/PCI_DSS

--
Is it a good idea to push operational constraints in a database
engine?

I understand that all clients can encrypt/decrypt without additional
tool, obfuscating is the challenge then (the question posted here).
So additional programming is needed (again, as with a home-made
encrypt/decrypt capability).

Another drawback of using the available encrypt/decrypt routine is
that the encrypted info is in the DB2 log and the encrypt/decrypt
algorithm is, as far as I know, not given by IBM. How will tools that
process logs be able to tackle this?

In conclusion, maybe some design "team" must decide where to go with
first.

Bernard Dhooghe

Nov 14 '07 #2
On Nov 14, 11:30 am, Bernard Dhooghe <dhoog...@yahoo.comwrote:
Is it a good idea to push operational constraints in a database
engine?
Why should it not be? To me the database is just another tool, and if
can serve particular purpose, there's little to be gained in
reinventing the wheel by rolling your own.
I understand that all clients can encrypt/decrypt without additional
tool, obfuscating is the challenge then (the question posted here).
So additional programming is needed (again, as with a home-made
encrypt/decrypt capability).
The original question was about key management, and I believe that
challenge essentially remains the same whether on chooses to use
database encryption (DB2 encrypt/decrypt) or client encryption (C,
Perl, Python, etc.).
Another drawback of using the available encrypt/decrypt routine is
that the encrypted info is in the DB2 log and the encrypt/decrypt
algorithm is, as far as I know, not given by IBM. How will tools that
process logs be able to tackle this?
How would log processing of encrypted data differ from processing any
other kind of binary data?

http://tinyurl.com/2k2hvh

"Creating indexes on encrypted data is a good idea in some cases.
Exact matches and joins of encrypted data will use the indexes you
create. Since encrypted data is essentially binary data, range
checking of encrypted data would require table scans."
In conclusion, maybe some design "team" must decide where to go with
first.
Hey, that's me :)

--

Nov 15 '07 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

34
by: Blake T. Garretson | last post by:
I want to save some sensitive data (passwords, PIN numbers, etc.) to disk in a secure manner in one of my programs. What is the easiest/best way to accomplish strong file encryption in Python? ...
6
by: Codemonkey | last post by:
Hi, I have a few questions about best practices when it comes to the management of temporary files. Any thoughts anyone can give would be much appreciated. Basically, I'm writing a document...
136
by: Matt Kruse | last post by:
http://www.JavascriptToolbox.com/bestpractices/ I started writing this up as a guide for some people who were looking for general tips on how to do things the 'right way' with Javascript. Their...
113
by: Bonj | last post by:
I was in need of an encryption algorithm to the following requirements: 1) Must be capable of encrypting strings to a byte array, and decyrpting back again to the same string 2) Must have the same...
44
by: craig | last post by:
I am wondering if there are some best practices for determining a strategy for using try/catch blocks within an application. My current thoughts are: 1. The code the initiates any high-level...
4
by: PJones | last post by:
I am looking for the best way to one way encrypt a password for storage in a database using (asp.net / vb.net) basically I need some functions or examples that I can freely use in a commercial...
0
by: Rico | last post by:
Hello, Does anyone have a good link for a tutorial / best practices for using encryption in SQL Server 2005? Thanks! Rick
7
by: j1mb0jay | last post by:
I have created some simple string encryption in C# to be able to store passwords in a database without them being stored in plain text. I have attached a encrypted passage from a book I like....
11
by: Jens | last post by:
Dear Reader, I'm writing some modules in Python, and I'm also using unittests. I'm wondering about some things: 1) Should I put my unittests in a subdirectory? Does the subdirectory have to...
1
isladogs
by: isladogs | last post by:
The next online meeting of the Access Europe User Group will be on Wednesday 6 Dec 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, Mike...
0
by: veera ravala | last post by:
ServiceNow is a powerful cloud-based platform that offers a wide range of services to help organizations manage their workflows, operations, and IT services more efficiently. At its core, ServiceNow...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
0
by: mar23 | last post by:
Here's the situation. I have a form called frmDiceInventory with subform called subfrmDice. The subform's control source is linked to a query called qryDiceInventory. I've been trying to pick up the...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
2
by: jimatqsi | last post by:
The boss wants the word "CONFIDENTIAL" overlaying certain reports. He wants it large, slanted across the page, on every page, very light gray, outlined letters, not block letters. I thought Word Art...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.