docs.intersystems.com
Home  /  First Look: Database Encryption


Articles
First Look: Database Encryption
InterSystems: The power behind what matters   
Search:  


This First Look guide introduces you to how InterSystems IRIS™ handles database encryption, which is an important part of any organization’s security strategy.
This First Look guide presents an introduction to database encryption and walks you through some initial tasks associated with creating an encrypted database. Once you’ve completed this guide, you will have created a key file, activated the key file, and then used it to encrypt a database. These activities are designed to use only the default settings and features, so that you can acquaint yourself with the fundamentals of the feature without having to deal with details that are off the topic (though these may be important when performing an implementation). For the full documentation on database encryption, see “Managed Key Encryption” in the InterSystems IRIS Security Administration Guide.
Why Database Encryption Is Important
While encryption does not prevent all improper or unauthorized use or disclosure of confidential or personal information, ensuring encryption of data at rest provides an important layer in the defense of the security of information. Putting encryption in place at the database level provides an added dimension to your information protection controls.
Additionally, many laws and regulations regarding sensitive or personal information recommend or require that the organization processing the data employ encryption as a first line of defense. These include laws and regulations such as:
Note that many of these legal requirements focus on data breaches, as they are an increasingly common phenomenon, but the current framework obligates organizations to address risk through proper security controls, such as role-based access, password protections, intrusion detection, data loss prevention, and logging/auditing — as well as encryption. Encryption alone will not address all mandatory requirements, but provides a secure foundation. Encryption at the database level enhances protections by requiring an attacker to not only gain access to the system or file space, but to also have access to the database. This additional layer provides assurances to the organization, its customers, and any stakeholders.
How InterSystems IRIS Uses Database Encryption
For activities associated with database operations, the InterSystems IRIS encryption and decryption processes are transparent to users. From the perspective of the end user or the application developer, the application simply performs its usual activities and the data is automatically encrypted on disk. From the perspective of the system administrator, there are a few simple tasks to ensure that data encryption occurs; after performing these tasks, again, activities occur invisibly.
What’s more, these activities use a minimum of processor time, so they are likely to have no visible impact on your applications. Further, because of how our databases are constructed, these activities are highly optimized.
Encryption and decryption use the United States Government Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode, often simply known as AES CBC. InterSystems IRIS supports all legal key sizes for AES CBC: 128–, 192–, and 256–bit keys.
InterSystems IRIS performs encryption and decryption using the fastest available implementation. Whenever available, encryption and decryption take advantage of the processor-based instruction sets and their inherent efficiencies. Modern Intel and IBM POWER8 processors have such instructions. InterSystems IRIS automatically detects and uses these instructions, so you don’t have take any actions to make it happen. On Intel processors, these are the Advanced Encryption Standard New Instructions (AES-NI); on IBM, they are the AES VMX instruction set.
You can store database encryption keys either on key management servers that support the key management interoperability protocol (KMIP) or in files that contain encrypted copies of the database keys. Each has its own advantages:
It is important to keep in mind that, while database encryption is an integral part of a security strategy, it cannot address security vulnerabilities alone. Other tools, such as protection for data in motion, are also crucial. This is why database encryption is part of the suite of tools that InterSystems IRIS provides for protecting data. These include:
Trying Database Encryption for Yourself
It’s easy to use InterSystems IRIS database encryption. This simple procedure walks you through the basic steps of setting up an encrypted database.
Before You Begin
To try using database encryption, you’ll need access to a running, licensed instance of InterSystems IRIS.
Creating an Encryption Key
First, create a key file, which automatically has a database encryption key in it:
  1. Log into the Management Portal and go to the Create Encryption Key File page (System Administration > Encryption > Create New Encryption Key File):
    1. In the Key File field, enter a name and path for the key file, such as C:\InterSystems\testkeys.key
    2. In the Administrator Name, Password, and Confirm Password fields, enter values such as testadmin and password. This is just an example case, so don’t reuse a password that you would use in a development environment.
    3. Select the Save button near the top of the page.
You just created the testkeys.key key file in the C:\InterSystems\directory with a key in it that you can use for database encryption. InterSystems IRIS displays a message with the key in it, such as
For more details about creating a key file and its initial key, see Creating a Key File in the “Managed Key Encryption” chapter of the InterSystems IRIS Security Administration Guide.
Activating an Encryption Key
Next, activate the key that you just created:
  1. In the Management Portal, go to the Database Encryption page (System Administration > Encryption > Database Encryption).
  2. On the Database Encryption page, select the Activate Key button:
  3. In the Key File field, enter the location where you stored the key file, such as C:\InterSystems\testkeys.key.
  4. In the Administration Name and Password fields, enter the values you specified (testadmin and password).
  5. Select the Activate button.
You can see the key ID on this page:
For more details about activating a key, see Activating a Database Encryption Key from a Key File in the “Managed Key Encryption” chapter of the InterSystems IRIS Security Administration Guide.
Creating an Encrypted Database
Now, you can create an encrypted database:
  1. Again in the Management Portal, go to the Namespaces page (System Administration > Configuration > System Configuration > Namespaces).
  2. On the Namespaces page, select Create New Namespace. This displays the New Namespace page:
  3. On the New Namespace page, enter the name of the encrypted database that you are going to create, such as encdb.
  4. Next to the Select an existing database for Globals drop-down menu, select the Create New Database button. This displays the Database Wizard:
  5. On the first page of the Database Wizard, in the Enter the name of your database field, enter the name of the database you are creating, such as encdb. Enter a directory for the database, such as C:\InterSystems\IRIS\mgr\encdb. On that page, select Next.
  6. On the next page, change the value of Encrypt database from No to Yes. On that page, select Finish.
  7. Back on the New Namespace page, in the Select an existing database for Routines drop-down menu, select the database you just created, such as encdb.
  8. Select the Save button near the top of the page and then select Close at the end of the resulting log.
You have now created an encrypted database called encdb that uses the key that InterSystems IRIS created when you created the key file. You can use this database just as you would use an unencrypted database. Because InterSystems IRIS hides all the machinery for encryption and decryption, you can perform all operations in the usual way and all your data will be encrypted.
For more details about creating a namespace and its associated database, see Create/Modify a Namespace in the “Configuring InterSystems IRIS” chapter of the InterSystems IRIS System Administration Guide. For background information, see Namespaces and Databases in the Orientation Guide for Server-Side Programming.
Looking at Encrypted Data
Once you have created the encrypted database, you can use it just as you would use any other, unencrypted database. The only difference is how the data is stored. To see the difference between data stored in encrypted and unencrypted databases, you can perform the following, simple test:
  1. In the Terminal for your InterSystems IRIS instance, go to the namespace for the encrypted database. To do this, use the zn command, which in our case would be:
    %SYS>zn "ENCDB"
    ENCDB> 
  2. In the ENCDB namespace, run the following command:
    ENCDB>for i=1:1:1000 set ^x(i)="This is test number "_i
    This creates a thousand persistent variables with content such as This is test number 22.
  3. To confirm that you have succeeded, look at the value of one variable:
    ENCDB>w ^x(22)
    This is test number 22
    ENCDB>
  4. To open the database file, go to its directory. On Windows, for an InterSystems IRIS instance called MyInstance and a database called encdb, the directory is:
    C:\InterSystems\MyInstance\mgr\encdb\
  5. In that directory, open the database file (iris.dat) in an editor. You will see content such as:
  6. Try searching for the string “This is test number” in the file. You won’t find it — because the database is encrypted. In fact, the only unencrypted strings you’ll find are the name of the database or the identifier of its encryption key.
  7. If you perform the same test on an unencrypted database, the resulting file will include content such as:
    Note that the last line of the screen shot contains the values of the variables set in the Terminal.
Other Features Related to Database Encryption
InterSystems IRIS also has other notable database encryption features that may be important for your implementation:
Learn More About Database Encryption
InterSystems has lots of resources to help you learn more about database encryption: