Learning
Community
Open Exchange
Global Masters
InterSystems IRIS Data Platform 2019.3 / Application Development / Security Administration Guide / Performing Encryption Management Operations
Previous section   Next section

Performing Encryption Management Operations

This chapter describes how to perform encryption management operations. Its topics include:

About Encryption Management Operations

InterSystems IRIS™ allows you to use encrypted databases, as described in the chapter “Managed Key Encryption.” There are occasions when you may need to perform encryption management operations on a database, such as:
  • Converting an unencrypted database to be encrypted
  • Converting an encrypted database to be unencrypted
  • Converting an encrypted database to use a new key
To perform these operations, InterSystems IRIS provides a set of encryption management tools:
  • When built-in hardware instructions are available for encryption-related activities, these activities are considerably faster than when using software-based encryption. The encryption management tools use hardware instructions when they are available.
  • The encryption management tools can use keys stored on a KMIP server.
  • The encryption management tools can run in FIPS mode.
Note:
The encryption management tools do not operate on journal files.

Converting an Unencrypted Database to be Encrypted

To convert an unencrypted database to an encrypted database:
  1. Back up the data in the database to be encrypted.
    InterSystems IRIS encrypts data in place. This means that it uses on-disk space for its operations (not copying the database elsewhere and restoring it to its current disk location after successful completion). If the utility is interrupted before completion, the database will be partly encrypted and partly unencrypted, rendering it unusable.
    Caution:
    It is critical that you back up the database before converting it. Failure to do so can result in data being lost.
  2. Activate the key with which you wish to encrypt the database, either from a key file or a KMIP server.
  3. Start the Terminal.
  4. In the %SYS namespace, run the ^EncryptionKey utility.
  5. In ^EncryptionKey, select option 3, Database encryption.
  6. In the database encryption submenu, select option 7, Modify encrypted status of existing database.
  7. In the Database directories submenu, select the database that you wish to modify; databases are listed by their directories. When you select a database, the routine announces if the database is encrypted or not.
  8. If the database is unencrypted, the routine allows you to encrypt it; at the Encrypt database? prompt, enter yes or y. This is not case sensitive.
  9. At the Select key for encryption prompt, select the key that the routine will use to encrypt the database. If the database is currently mounted, the routine then displays this information.
  10. If the database is currently mounted, the routine states this. At the Dismount database prompt, enter yes or y. This is not case sensitive.
    Important:
    Because dismounting and then remounting a database interrupts its operations, take the appropriate precautions to ensure that this does cause problems.
The routine then encrypts the database. As part of this process, if the database was mounted, the routine displays messages that it has dismounted and mounted the database. When the database is mounted again, encryption is complete.

Converting an Encrypted Database to be Unencrypted

To convert an encrypted database to an unencrypted database:
  1. Back up the data in the database to be unencrypted.
    InterSystems IRIS unencrypts data in place. This means that it uses on-disk space for its operations (not copying the database elsewhere and restoring it to its current disk location after successful completion). If the utility is interrupted before completion, the database will be partly encrypted and partly unencrypted, rendering it unusable.
    Caution:
    It is critical that you back up the database before converting it. Failure to do so can result in data being lost.
  2. Activate the key with which you wish to encrypt the database, either from a key file or a KMIP server.
  3. Start the Terminal.
  4. In the %SYS namespace, run the ^EncryptionKey utility.
  5. In ^EncryptionKey, select option 3, Database encryption.
  6. In the database encryption submenu, select option 7, Modify encrypted status of existing database.
  7. In the Database directories submenu, select the database that you wish to modify; databases are listed by their directories. When you select a database, the routine announces if the database is encrypted or not. If the database is encrypted and its encryption key has not been activated, the routine announces this as well.
  8. If the database is encrypted, the routine allows you to decrypt it; at the Decrypt database? prompt, enter yes or y. This is not case sensitive.
  9. After reporting the encryption key for the database, the routine prompts if you wish to encrypt the database with a different key. Press Enter to simply convert it to a decrypted database and use a new key to encrypt it.
  10. If the database is currently mounted, the routine states this. At the Dismount database prompt, enter yes or y. This is not case sensitive.
    Important:
    Because dismounting and then remounting a database interrupts its operations, take the appropriate precautions to ensure that this does cause problems.
The routine then decrypts the database. As part of this process, if the database was mounted, the routine displays messages that it has dismounted and mounted the database. When the database is mounted again, decryption is complete.

Converting an Encrypted Database to Use a New Key

To convert an encrypted database to use a new key:
  1. Back up the data in the database to be re-encrypted.
    InterSystems IRIS encrypts data in place. This means that it uses on-disk space for its operations (not copying the database elsewhere and restoring it to its current disk location after successful completion). If the utility is interrupted before completion, the database will be partly encrypted and partly unencrypted, rendering it unusable.
    Caution:
    It is critical that you back up the database before converting it. Failure to do so can result in data being lost.
  2. Activate the keys with which the database is encrypted and with which you wish to re-encrypt the database, either from a key file or a KMIP server.
  3. Start the Terminal.
  4. In the %SYS namespace, run the ^EncryptionKey utility.
  5. In ^EncryptionKey, select option 3, Database encryption.
  6. In the database encryption submenu, select option 7, Modify encrypted status of existing database.
  7. In the Database directories submenu, select the database that you wish to modify; databases are listed by their directories. When you select a database, the routine announces if the database is encrypted or not.
  8. If the database is encrypted, the routine allows you to decrypt it; at the Decrypt database? prompt, enter yes or y. This is not case sensitive.
  9. At the next prompt, which is the Re-encrypt database? prompt, enter yes or y. This is not case sensitive.
  10. At the Select key for encryption prompt, select the key that the routine will use to encrypt the database.
  11. If the database is currently mounted, the routine states this. At the Dismount database prompt, enter yes or y. This is not case sensitive.
    Important:
    Because dismounting and then remounting a database interrupts its operations, take the appropriate precautions to ensure that this does cause problems.
The routine then re-encrypts the database. As part of this process, if the database was mounted, the routine displays messages that it has dismounted and mounted the database. When the database is mounted again, encryption is complete.
Previous section   Next section