Defining the ENCRYPT_TDES function for value-level encryption

When you use the ENCRYPT_TDES built-in function for value-level encryption, each value in a given column can be encrypted with a different password. You set the password for each value by using the ENCRYPT keyword with the password.

About this task

The following keywords are used with value-level encryption:

ENCRYPT_TDES: Indicates which data requires encryption. Also, encryption passwords, and optionally password hints, are indicated as part of the ENCRYPT_TDES keyword for value-level encryption.
Recommendation: Use host variables instead of literal values for all passwords and password hints. If statements contain literal values for passwords and password hints, the security of the encrypted data can be compromised in the Db2 catalog and in a trace report.
DECRYPT_BIT, DECRYPT_CHAR, DECRYPT_DB: Checks for the correct password and decrypts data when the data is selected.

Example

Suppose that a web application collects user information about a customer. This information includes the customer name, which is stored in host variable custname; the credit card number, which is stored in a host variable cardnum; and the password for the card number value, which is stored in a host variable userpswd. The application uses the following statement to insert the customer information: Begin general-use programming interface information.

Begin general-use programming interface information.

INSERT INTO CUSTOMER (CCN, NAME)
  VALUES(ENCRYPT(:cardnum, :userpswd), :custname);

End general-use programming interface information.

Before the application displays the credit card number for a customer, the customer must enter the password. The application retrieves the credit card number by using the following statement:

SELECT DECRYPT_CHAR(CCN, :userpswd) FROM CUSTOMER WHERE NAME = :custname;