Thanks for your feedback!
Need to tell us more? Click here or use the Feedback button.

Is this page helpful?

Contents

Additional Encryption Information
Key File Encryption Information
Encryption and Database-Related Facilities
About Calls to Perform Encryption, Hashing, and Other Key-Related Operations

Additional Encryption Information

This topic addresses additional information about InterSystems IRIS® data platform encryption.

Key File Encryption Information

Database encryption administrator names are stored in the clear in the key file. Database encryption administrator passwords are not stored; when entered, they are used, along with other data, to derive key-encryption keys. If someone can successfully guess a valid password, the password policy is too weak. Key-encryption keys are derived using the PBKDF2 algorithm with 512 bits of salt and 65,536 iterations, making dictionary and brute force attacks impractical.

Encryption and Database-Related Facilities

InterSystems IRIS database encryption protects database files themselves. Regarding related facilities in InterSystems IRIS:

InterSystems IRIS online backups are not encrypted. To ensure that the InterSystems IRIS database is encrypted in a backup, it is recommended that you quiesce InterSystems IRIS and then perform a file system backup (as described in External Backup).
In the write image journal (WIJ) file, the blocks for encrypted databases are encrypted.
The IRISTEMP and IRISLOCALDATA databases can optionally be encrypted. To provide encryption for IRISTEMP and IRISLOCALDATA, see Configure Encryption Startup Settings.
You can optionally encrypt journal files; see Configuring Database Encryption Settings.

About Calls to Perform Encryption, Hashing, and Other Key-Related Operations

InterSystems IRIS allows you to perform actions related to data encryption, Base64 encoding, hashing, and generating message authentication codes using various methods of the %SYSTEM.EncryptionOpens in a new tab class. It includes methods that invoke AES encryption, various RSA algorithms, SHA-256 hash functions, and more. Some of the calls include:

An Example of Using RSAEncrypt and RSADecrypt

Below is an example of using the RSAEncrypt and RSADecrypt calls. It assumes that:

The code is running on Windows.
There is an available certificate, private key, and certificate authority (CA) certificate. (To try this example, you will need to obtain these.)
All three of these items are in the C:\Keys\ directory.

See the comments within the example for more details of its operations.

 set dir = "C:\Keys\" 

 // certificate for the instance performing encryption and decryption
 // and private key associated with that above certificate 
 set cert = dir_"test.crt" 
 set key = dir_"test.key" 

 // certificate for the CA of the instance
 set cacert=dir_"ca.crt" 

 set data = "data to be encrypted" 

 // create a local set of X.509 credentials with the 
 // certificate and private key
 set credentials = ##class(%SYS.X509Credentials).%New() 
 set credentials.Alias="TestCreds" 
 write credentials.LoadCertificate(cert) 
 write credentials.LoadPrivateKey(key) 
 write credentials.Save(),! 

 // encrypt the data using the public key in the certificate, write it 
 // to the display, and display error information, if there is any
 set ciphertext=$System.Encryption.RSAEncrypt(data,credentials.Certificate,cacert) 
 write ciphertext,! 
 write $System.Encryption.RSASHA1GetLastError() 
  
 // decrypt the data using the private key, write it to the display,
 // and display error information, if there is any
 write "now decrypting -=-=-=-=-=-=-=-=-=-=-",! 
 set cleartext=$System.Encryption.RSADecrypt(ciphertext,credentials.PrivateKey) 
 write cleartext,! 
 write $System.Encryption.RSASHA1GetLastError()

FIPS-2 Compliance

Handling Emergency Situations