Database encryption overview

When you configure Maximo® Manage, specify encryption keys and encryption algorithms to determine how the fields that require security are encrypted.

Important: You must save the encryption secret, which contains the encryption keys after Maximo Manage deployment is completed. The same keys are used for configuration when you reinstall Maximo Manage with the same database.

The following table describes the Crypto and CryptoX encryption keys for Maximo Manage:

Table 1. Encryption keys
Key	Description
MXE_SECURITY_CRYPTO_KEY	Used to encrypt Crypto fields, such as passwords. For Crypto encryption, if you specify a MXE_SECURITY_CRYPTO_KEY value that matches the MXE_SECURITY_OLD_CRYPTO_KEY value that was used in the previous deployment, no reencryption occurs. If you specify a key value during deployment that does not match the MXE_SECURITY_OLD_CRYPTO_KEY value, the database is reencrypted. The length of the key must be a multiple of 24.
MXE_SECURITY_OLD_CRYPTO_KEY	Specifies the value for the previous Crypto encryption key that was used for the database.
MXE_SECURITY_CRYPTOX_KEY	Used to encrypt CryptoX fields, including API keys, such as the electronic signature key. For CryptoX encryption, if you specify a MXE_SECURITY_CRYPTOX_KEY value that matches the MXE_SECURITY_OLD_CRYPTOX_KEY value that was used in the previous deployment, no encryption changes occur. Because CryptoX values cannot be decrypted and the original value cannot be determined, if you specify a key value in a deployment that does not match the MXE_SECURITY_OLD_CRYPTOX_KEY value, CryptoX values are set to null when encryption is run. The length of the key must be a multiple of 24.
MXE_SECURITY_OLD_CRYPTOX_KEY	Specifies the value for the previous CryptoX encryption key that was used for the database.

The following encryption properties are also supported:

Table 2. Encryption properties
Encryption property	Description
MXE_SECURITY_CRYPTO_ALGORITHM	Default value is `AES`.
MXE_SECURITY_CRYPTO_MODE	Default value is `CBC`.
MXE_SECURITY_CRYPTO_MODULUS
MXE_SECURITY_CRYPTO_PADDING	Default value is `PKCS5Padding`.
MXE_SECURITY_CRYPTO_SPEC	Length must be a multiple of 8.
MXE_SECURITY_CRYPTOX_ALGORITHM	Default value is `AES`.
MXE_SECURITY_CRYPTOX_MODE	Default value is `CBC`.
MXE_SECURITY_CRYPTOX_MODULUS
MXE_SECURITY_CRYPTOX_PADDING	Default value is `PKCS5Padding`.
MXE_SECURITY_CRYPTOX_SPEC	Length must be a multiple of 8.

Note: After the database is installed, only the Crypto and CryptoX encryption keys can be changed.

You can add a value for the MXE_SECURITY_CRYPTO_KEY or MXE_SECURITY_CRYPTOX_KEY encryption keys when you configure the database settings for deployment before you activate the application. If you do not specify an encryption key secret in the Maximo Manage configuration when you activate, the system automatically generates keys and names the secret in the keys by using the following naming convention:

<workspaceId>-<appId>-encryptionsecret

To learn how to specify the encryption secret in the Maximo Manage configuration, see Adding encryption key secret .

Because your database does not function without valid encryption keys, consider implementing the following best practices:

Maintain your encryption keys in a vault or other secure management system for secrets.
Specify your own values for encryption keys instead of using system-generated values. If you use system-generated values and do not create a backup, you cannot retrieve the keys. Without the keys, you cannot use your database.