docs.intersystems.com
InterSystems IRIS Data Platform 2019.2  /  Security Administration Guide

Security Administration Guide
Performing Encryption Management Operations
Previous section           Next section
InterSystems: The power behind what matters   
Search:  


This chapter describes how to perform encryption management operations. Its topics include:
About Encryption Management Operations
InterSystems IRIS™ allows you to use encrypted databases, as described in the chapter “Managed Key Encryption.” There are occasions when you may need to perform encryption management operations on a database, such as:
To perform these operations, InterSystems IRIS provides a set of encryption management tools:
Note:
The encryption management tools do not operate on journal files.
Converting an Unencrypted Database to be Encrypted
To convert an unencrypted database to an encrypted database:
  1. Back up the data in the database to be encrypted.
    InterSystems IRIS encrypts data in place. This means that it uses on-disk space for its operations (not copying the database elsewhere and restoring it to its current disk location after successful completion). If the utility is interrupted before completion, the database will be partly encrypted and partly unencrypted, rendering it unusable.
    Caution:
    It is critical that you back up the database before converting it. Failure to do so can result in data being lost.
  2. Activate the key with which you wish to encrypt the database, either from a key file or a KMIP server.
  3. Start the Terminal.
  4. In the %SYS namespace, run the ^EncryptionKey utility.
  5. In ^EncryptionKey, select option 3, Database encryption.
  6. In the database encryption submenu, select option 7, Modify encrypted status of existing database.
  7. In the Database directories submenu, select the database that you wish to modify; databases are listed by their directories. When you select a database, the routine announces if the database is encrypted or not.
  8. If the database is unencrypted, the routine allows you to encrypt it; at the Encrypt database? prompt, enter yes or y. This is not case sensitive.
  9. At the Select key for encryption prompt, select the key that the routine will use to encrypt the database. If the database is currently mounted, the routine then displays this information.
  10. If the database is currently mounted, the routine states this. At the Dismount database prompt, enter yes or y. This is not case sensitive.
    Important:
    Because dismounting and then remounting a database interrupts its operations, take the appropriate precautions to ensure that this does cause problems.
The routine then encrypts the database. As part of this process, if the database was mounted, the routine displays messages that it has dismounted and mounted the database. When the database is mounted again, encryption is complete.
Converting an Encrypted Database to be Unencrypted
To convert an encrypted database to an unencrypted database:
  1. Back up the data in the database to be unencrypted.
    InterSystems IRIS unencrypts data in place. This means that it uses on-disk space for its operations (not copying the database elsewhere and restoring it to its current disk location after successful completion). If the utility is interrupted before completion, the database will be partly encrypted and partly unencrypted, rendering it unusable.
    Caution:
    It is critical that you back up the database before converting it. Failure to do so can result in data being lost.
  2. Activate the key with which you wish to encrypt the database, either from a key file or a KMIP server.
  3. Start the Terminal.
  4. In the %SYS namespace, run the ^EncryptionKey utility.
  5. In ^EncryptionKey, select option 3, Database encryption.
  6. In the database encryption submenu, select option 7, Modify encrypted status of existing database.
  7. In the Database directories submenu, select the database that you wish to modify; databases are listed by their directories. When you select a database, the routine announces if the database is encrypted or not. If the database is encrypted and its encryption key has not been activated, the routine announces this as well.
  8. If the database is encrypted, the routine allows you to decrypt it; at the Decrypt database? prompt, enter yes or y. This is not case sensitive.
  9. After reporting the encryption key for the database, the routine prompts if you wish to encrypt the database with a different key. Press Enter to simply convert it to a decrypted database and use a new key to encrypt it.
  10. If the database is currently mounted, the routine states this. At the Dismount database prompt, enter yes or y. This is not case sensitive.
    Important:
    Because dismounting and then remounting a database interrupts its operations, take the appropriate precautions to ensure that this does cause problems.
The routine then decrypts the database. As part of this process, if the database was mounted, the routine displays messages that it has dismounted and mounted the database. When the database is mounted again, decryption is complete.
Converting an Encrypted Database to Use a New Key
To convert an encrypted database to use a new key:
  1. Back up the data in the database to be re-encrypted.
    InterSystems IRIS encrypts data in place. This means that it uses on-disk space for its operations (not copying the database elsewhere and restoring it to its current disk location after successful completion). If the utility is interrupted before completion, the database will be partly encrypted and partly unencrypted, rendering it unusable.
    Caution:
    It is critical that you back up the database before converting it. Failure to do so can result in data being lost.
  2. Activate the keys with which the database is encrypted and with which you wish to re-encrypt the database, either from a key file or a KMIP server.
  3. Start the Terminal.
  4. In the %SYS namespace, run the ^EncryptionKey utility.
  5. In ^EncryptionKey, select option 3, Database encryption.
  6. In the database encryption submenu, select option 7, Modify encrypted status of existing database.
  7. In the Database directories submenu, select the database that you wish to modify; databases are listed by their directories. When you select a database, the routine announces if the database is encrypted or not.
  8. If the database is encrypted, the routine allows you to decrypt it; at the Decrypt database? prompt, enter yes or y. This is not case sensitive.
  9. At the next prompt, which is the Re-encrypt database? prompt, enter yes or y. This is not case sensitive.
  10. At the Select key for encryption prompt, select the key that the routine will use to encrypt the database.
  11. If the database is currently mounted, the routine states this. At the Dismount database prompt, enter yes or y. This is not case sensitive.
    Important:
    Because dismounting and then remounting a database interrupts its operations, take the appropriate precautions to ensure that this does cause problems.
The routine then re-encrypts the database. As part of this process, if the database was mounted, the routine displays messages that it has dismounted and mounted the database. When the database is mounted again, encryption is complete.


Previous section           Next section
Send us comments on this page
View this book as PDF   |  Download all PDFs
Copyright © 1997-2019 InterSystems Corporation, Cambridge, MA
Content Date/Time: 2019-09-18 06:45:48