SET ENCRYPTION PASSWORD
The SET ENCRYPTION PASSWORD statement sets the default password and hint that will be used by the encryption and decryption functions. The password is not associated with authentication and is only used for data encryption and decryption.
For information about using this statement, see ENCRYPT_AES, ENCRYPT_RC2, ENCRYPT_TDES, and DECRYPT_BIT, DECRYPT_BINARY, DECRYPT_CHAR and DECRYPT_DB.
Invocation
This statement can be embedded in an application program or issued interactively. It is an executable statement that can be dynamically prepared.
Authorization
If a global variable is referenced in the statement, the privileges held by the authorization ID of the statement must include at least one of the following:
- For each global variable identified in the statement,
- The READ privilege on the global variable, and
- The system authority *EXECUTE on the library containing the global variable
- Administrative authority
Syntax
.- = -. >>-SET--ENCRYPTION PASSWORD--+-----+----------------------------> >--+-password-variable--------+---------------------------------> '-password-string-constant-' >--+--------------------------------------------+-------------->< | .-=-. | '-WITH HINT--+---+--+-hint-variable--------+-' '-hint-string-constant-'
Description
- password-variable
- Specifies a variable that contains an encryption password.
The variable:
- Must be a CHAR, VARCHAR, Unicode GRAPHIC, or Unicode VARGRAPHIC variable. The actual length of the contents of the variable must be between 6 and 127 inclusive or must be an empty string. If an empty string is specified, the default encryption password is set to no value.
- Must not be the null value.
- All characters are case-sensitive and are not converted to uppercase characters.
- password-string-constant
- A character constant. The length of the constant must be between 6 and 127 inclusive or must be an empty string. If an empty string is specified, the default encryption password is set to no value. The literal form of the password is not allowed in static SQL or REXX.
- WITH HINT
- Indicates that a value is specified that will help data owners
remember passwords (for example, 'Ocean' as a hint to remember 'Pacific').
If a hint value is specified, the hint is used as the default for
encryption functions. The hint can subsequently be retrieved for an
encrypted value using the GETHINT function. If this clause is not
specified and a hint is not explicitly specified on the encryption
function, no hint will be embedded in encrypted data result.
- hint-variable
- Specifies a variable that contains an encryption password hint.
The variable:
- Must be a CHAR, VARCHAR, Unicode GRAPHIC, or Unicode VARGRAPHIC variable. The actual length of the contents of the variable must not be greater than 32. If an empty string is specified, the default encryption password hint is set to no value.
- Must not be the null value.
- All characters are case-sensitive and are not converted to uppercase characters.
- hint-string-constant
- A character constant. The length of the constant must not be greater than 32. If an empty string is specified, the default encryption password hint is set to no value.
Notes
Password protection: To prevent inadvertent access to the encryption password, do not specify password-string-constant in the source for a program, procedure, or function. Instead, use a variable.
When connected to a remote relational database, the specified password itself is sent "in the clear". That is, the password itself is not encrypted. To protect the password in these cases, consider using a communications encryption mechanism such as IPSEC (or SSL if connecting between IBM® i products).
Transaction considerations: The SET ENCRYPTION PASSWORD statement is not a committable operation. ROLLBACK has no effect on the default encryption password or default encryption password hint.
Initial encryption password value: The initial value of both the default encryption password and the default encryption password hint is the empty string ('').
Encryption password scope: The scope of the default encryption password and default encryption password hint is the activation group and connection.
Example
Set the ENCRYPTION PASSWORD to the value in :hv1.
SET ENCRYPTION PASSWORD :hv1