Encryption and decryption overview

InfoSphere® Guardium Data Encryption performs two main operations: encryption and decryption.

As shown in the following figure, during encryption DB2® or IMS™ application data ("PAUL") is converted to database data that is unintelligible ("x@vg"). Only the person with the cryptographic key label can decrypt the data. The cryptographic key label is assigned by your security administrator.

Decryption is the opposite process. Data is taken from the database ("x@vg") and converted back to its original form ("PAUL").

You can implement data encryption by using an encryption method, which can be a DB2 edit procedure, field procedure, or User Defined Function, or an IMS Segment Edit/Compression exit routine. This encryption method can be called by a DB2 table or an IMS segment. The data is encrypted or decrypted each time an application processes the table or segment. This provides a higher level of data protection than performing encryption at the database level because the data remains encrypted even when it is in the buffer pool not actively being accessed.

You can use different encryption methods for different tables or segments. For example, in IMS, a financial application segment can use one encryption method and a personnel segment can use a different encryption method.

Data remains encrypted during channel I/O. However, when the DBMS gains control, it starts the encryption method to decrypt the data (read processing) and encrypt the data (write processing).

For DB2, log records, image copies, and data buffers are encrypted. For IMS, image copies, data buffers, and log records that log changes to database records are encrypted. IMS data that is decrypted is also logged.

To implement InfoSphere Guardium Data Encryption, the following tasks must be done. Steps 3 and 6 are documented in this information. The remaining steps use other IBM® products and processes and are outside the scope of this information.

1. Set up and validate Integrated Cryptographic Service Facility (ICSF). The setup process consists of installing the hardware configuration data and setting the system master key.
2. Generate a cryptographic key label for use with the table or segment. Store the cryptographic key label in the cryptographic key data set (CKDS).
3. Build the encryption method by using InfoSphere Guardium Data Encryption. This method must specify the generated encryption key label.
4. Back up your data.
5. Unload your data.
6. Create and install the encryption method.
7. Reload the data, during which process the data is encrypted.
8. Validate your output.