Create and manage keys

Keys and key-related data are associated with a keystore. You can create multiple keystores and keys, which are managed through any SQL interface, such as ODBC. Before you create or import a key, you must first create the keystore to hold the key.

Important: Because a key is stored like an external table, it is not captured by a regular backup/restore function. Be sure to back up the key after you create it. You must save all keys, either in the keystore or by exporting them by using SHOW, to verify the signatures in the audit database.
To create a keystore, use the syntax as in the following example:
CREATE KEYSTORE <name> TYPE <type> PASSWORD <password>;
<name>
The name for the keystore.
<type>
The value is LOCAL, the only type currently supported.
<password>
Password that is used as the key encryption key (KEK) for any crypto keys that you create and associate with that keystore.

To create a key in a keystore, use the following command:

CREATE CRYPTO KEY <keystore name>.<key name> TYPE <type>
<keystore name>
Name of the keystore.
<key name>
Name of the key.
<type>
The encryption type. The supported types are asymmetric keys of type DSA_KEYPAIR or DSA_KEYPAIR_2048, and symmetric keys of type AES_256.

Netezza Performance Server uses an encryption key based on the keystore to encrypt and decrypt all the keys in that keystore.

To import a key into a keystore, you use the CREATE CRYPTO KEY command with two additional fields VALUE and PASSWORD, as in the following command:

CREATE CRYPTO KEY <keystore name>.<key name> TYPE <type> VALUE <value> 
PASSWORD <password>
<keystore name>
Name of the keystore.
<key name>
Name of the key.
<type>
The encryption type. The supported types are asymmetric keys of type DSA_KEYPAIR or DSA_KEYPAIR_2048, and symmetric keys of type AES_256.
<value>
The key pair (encrypted form) that you want to import to the keystore. The imported key has a required format that includes three parts separated by the dollar sign ($) character:
  • The first part of the key is the salt value used to create the key based on the password. It is 16 bytes base64 encoded, resulting in a string of 23 padded bytes. Netezza Performance Server uses PBKDF2-SHA256 to derive the password-key from the password string and the salt.
  • The second and third parts are the encrypted key (32 bytes) and initialization vector (16 bytes), for a total of 48 bytes base64 encoded resulting in a string of 64 bytes. The key is encrypted in CBC mode. Netezza Performance Server uses the Botan library for the base64 encoding and encrypt/decrypt functions.
<password>
Used to decrypt the key <value> when you import a key.

The following is a sample command to import a crypto key:

create crypto key mykeyst.mykey1 type aes_256 value
'c2vaXGjnR4b2Sj8hdRqaMQ==$q6fdHB4wfXNm3ySRpugjhzSUuTloPWa7MwhdBUKWUISK
fPJBcfSul/krWk3hG1+7' password 'mysecureword';
SQL language extensions were added for the key and keystore operations, as shown in the following table. You must have MANAGE SECURITY privileges to use these commands.
Table 1. SQL language extensions
Command Meaning
CREATE keystore Creates a keystore
SHOW keystore Displays the keystore configuration in summary or detail (VERBOSE) format
ALTER keystore Changes the keystore parameters
DROP keystore Deletes a keystore
CREATE CRYPTO KEY Sets a key entry
SHOW CRYPTO KEY Displays key-entry details
DROP CRYPTO KEY Deletes a key entry