Encryption and decryption functions
OneDB supports built-in encryption and decryption functions.
Element | Description | Restrictions | Syntax |
---|---|---|---|
data | A plain text character string, variable, or large object of type BLOB or CLOB to be encrypted | Must be a character or BLOB data type | Expression |
encrypted _data | A character string or variable containing output from ENCRYPT_AES or from ENCRYPT_TDES | Decryption requires the encryption password | Expression |
hint | A character string that you define here. Default is the value from the WITH HINT clause of the SET ENCRYPTION statement that defined password. | No more than 32 bytes | Quoted String |
password | A character string that the encryption function defines. Default is the session password value defined by the SET ENCRYPTION statement | At least 6 bytes, but no more than 128 bytes | Quoted String |
You can invoke these encryption and decryption functions from within DML statements or with the EXECUTE FUNCTION statement.
For distributed operations over a network, all participating database servers must support these (or equivalent) functions. If the network is not secure, the DBSA must enable the encryption communication support module (ENCCSM) to provide data encryption between the database server and client systems, in order to avoid transmitting passwords as plain text.
Encryption or decryption calls slow the performance of the SQL statement within which these functions are invoked, but have no effect on other statements. However, if you store encrypted data in a column that is an index key, or in a column on which a constraint is defined, HCL OneDB™ cannot enforce the constraint, and DML statements cannot use the index.
Similarly, do not encrypt a column whose value is referenced in the fragment key expression of a fragmented table.
You cannot encrypt the security label in a column of type IDSSECURITY label.