× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. RPG400-L
  3. May 2015

Re: SQL Encryption with Instead of Triggers

On 20-May-2015 15:09 -0500, Darlene Wright wrote:
We have been tasked to encrypt several fields in a data file the
AS400. I have been researching on the best approach with the least
impact, which has brought my attention to SQL encryption using
Instead of Triggers. Does anyone have any insight with this method?
It seems somewhat straight forward using insert, delete and update.

First, the topic seems little or nothing to do with programming RPG[LE]. Even if some RPG might be [intended to be] used, the topic still seems non-RPG.

Second, the idea of encrypting fields in the database with the apparent intent to minimize impacts to existing applications [at least without FieldProc support] is quite specific to the data that would be encrypted and how\what the applications access and update the data. While Instead Of Triggers (IOT) on a VIEW can be helpful in that regard, the standard *BEFORE and *AFTER triggers might suffice with even less impact; all depends on the file layouts, keys, and relations, the applications accessing the data and how, the intention for both the encrypted data and the decryption of that data, and surely other things that did not just now pop into my head.

One method of encrypting the data is to create a _sibling_ TABLE into which to store the encrypted data; typically because the impacts to change the columns from plain-text into encrypted binary-data requires expansion and becomes generally problematic for applications. So the original TABLE could remain identical, but get modified to replace the /private/ data with something like '*PRIVATE' or '*NA' or '*ENCRYPTED'.

Necessarily there is value to create a VIEW as a join by the Primary Key (PK) of the original TABLE to the matching PK of the new sibling TABLE to access the since-encrypted data for each of the /private/ columns. With the addition of the IOTs, that VIEW is then update-capable, and each /update/ [insert, update, delete] is replaced by the same I/O to the based-on TABLEs; applications can see effectively what was the old format, but accessing the VIEW. And when the decryption is enabled, a query of the VIEW returns the decrypted data.

However standard insert\delete\update triggers on the original table would necessarily want to ensure that the sibling TABLE receives the same I/O but with encrypted data [for any application not referencing the VIEW], while also ensuring the /private/ data columns are left unmodified or will get the new /default/ value that exposes the true datum is not visible [e.g. '*NA'] via this TABLE. The encryption of the data in the sibling could be deferred to insert\update triggers. That of course effectively renders the IOT redundant, as the triggers on the TABLEs already handle the work... and the IOT doing an INSERT of ENCRYPT(plain_text) would then have the effect of the sibling TABLE's insert trigger doing ENCRYPT(ENCRYPT(plain_text)).


Do I need to use API's in order to read this data?

If using IOT, then already SQL is involved, so perhaps best to just use what the SQL provides to encrypt and decrypt\read the encrypted data.? Also FWiW, an old topic "Subject: _cipher API vs Qc3Encrypt/Qc3DecryptData vs SQL":
<http://archive.midrange.com/rpg400-l/200803/threads.html#00533>


Is there a "Read" trigger?

Yes, but of no help for showing decrypted data; see FieldProc support in later release(s). In that message thread in the prior link, I tried [and seems likely I failed] to explain why a Read Trigger could be of no help, and that a new feature from the database would have to relieve the insistence that a Read Trigger should allow presenting a program with something other than what was in the database.

And that relief eventually came, with a new feature, but only with the *Enhanced* FieldProc /with _conditional_ masking/ support\feature. See my response in "Subject: Having trouble with FIELDPROC on a database (Column Encryption on Iseries)" <http://stackoverflow.com/questions/29438380/having-trouble-with-fieldproc-on-a-database-column-encryption-on-iseries/29712381#29712381>


What type of Master key.

For SQL, a /password/. "The password used for decryption is either the password-string value or the ENCRYPTION PASSWORD value assigned by the SET ENCRYPTION PASSWORD statement."
<http://www.ibm.com/support/knowledgecenter/api/content/nl/en-us/ssw_ibm_i_61/db2/rbafzscadecrypt.htm>


The data file remains static once we have it on our disk, just need
to retrieve it upon request.

Is the effect perhaps implicit decryption, solely to meet a requirement to have at-rest-data encrypted?


Any insight on encrypting data fields in a file on the IBM AS400
would be much appreciated. We are currently at 6.1.


Although I have not used the support, clearly upgrading to a new release and using the FIELDPROC feature is almost surely the /easiest/ way to make the encrypted field-data happen... with the minimal impact to the application(s).

p.s. Notice how there was no mention of RPG in any followup commentary.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.