Database encryption scenarios

Your deployment scenario determines your encryption and reencryption options. Scenarios include deploying a new database, deploying a previously encrypted database, or changing the encryption keys for deployment.

Deploying a new database

If you deploy a new database, you have two options for database encryption:
Table 1. Encryption for deploying a new database
Option Action Result
Provide your own values for the encryption keys. Specify the values that you want to use for the Crypto and CryptoX encryption keys when you configure your database during deployment. The database is then encrypted by using the key values that you provide.
Use system-generated keys. Do not specify key values when you configure your database. If you do not specify the keys, a secret is automatically generated that contains the new MXE_SECURITY_CRYPTO_KEY and MXE_SECURITY_CRYPTOX_KEY encryption keys. Later, if you need the keys, you can view the keys in the secret.

Deploying a previously encrypted database

The following scenarios can occur if your deployment includes a database that was previously encrypted. For example, you might be upgrading from IBM® Maximo® Asset Management 7.6.0.10 or 7.6.1.2, which are not installed on Red Hat® OpenShift® but can be upgraded to Maximo Manage. You might also be upgrading from a previous Maximo Manage version. The scenarios apply both to a database that previously implemented the default encryption for Maximo Manage or a database that was encrypted by using a different algorithm or keys.
An existing database that used the default encryption for Maximo Manage and no values were provided for the Crypto or CryptoX key
The database for Maximo Manage no longer uses a default set of keys for encryption. If you have an existing database that used the default encryption, provide the MXE_SECURITY_CRYPTO_KEY and MXE_SECURITY_CRYPTOX_KEY values so that the database can be reencrypted. If your database was previously encrypted by using keys other than the default encryption for Maximo Manage, provide the old MXE_SECURITY_OLD_CRYPTO_KEY and MXE_SECURITY_OLD_CRYPTOX_KEY encryption keys. As a result, the database can be decrypted and then reencrypted.

When you configure the database, select one of the following options for reencryption:

Note: Reencryption always occurs in this scenario.
Table 2. Encryption for existing databases where no values were provided for the encryption keys.
Option Action Result
Provide your own values for the encryption keys.
  1. Enter the MXE_SECURITY_CRYPTO_KEY and MXE_SECURITY_CRYPTOX_KEY values.
  2. Do not specify any key values when you configure your database.
 The database is reencrypted by using the values that you specified.
Use system-generated keys.
  1. Do not specify any key values when you configure your database.
 The system generates new keys, and the database is reencrypted with the system-generated keys.
An existing database that used values from your own Crypto or CryptoX keys
When you configure the database, select one of the following options for encryption:
Note: The first option is less likely to result in errors. You can change the keys later.
Table 3. Encryption for existing databases where you provided your own values for the encryption keys.
Option Action Result
Do not reencrypt the database.
  1. Specify the Maximo Manage security properties, including the MXE_SECURITY_OLD_CRYPTO_KEY and MXE_SECURITY_OLD_CRYPTOX_KEY encryption keys.
  2. Specify the same values for the MXE_SECURITY_CRYPTO_KEY and MXE_SECURITY_CRYPTOX_KEY encryption keys.
Because you specified the same values for the old and new keys, the database is not reencrypted.
Reencrypt the database.
  1. Specify the Maximo Manage security properties, including the MXE_SECURITY_OLD_CRYPTO_KEY and MXE_SECURITY_OLD_CRYPTOX_KEY encryption keys.
  2. Select one of the following options:
    • Specify values for the new MXE_SECURITY_CRYPTO_KEY and MXE_SECURITY_CRYPTOX_KEY encryption keys.
    • To use system-generated keys, do not specify encryption key values.
 The database is reencrypted.

Changing the encryption keys for deployment

The following table describes the tasks to complete reencrypting the database when you want to change the MXE_SECURITY_CRYPTO_KEY and MXE_SECURITY_CRYPTOX_KEY encryption keys.
Table 4. Encryption by using new encryption keys
Option Action Result
Reencrypt the database by using new encryption keys.
  1. Set the MXE_SECURITY_OLD_CRYPTO_KEY and MXE_SECURITY_OLD_CRYPTOX_KEY encryption keys to the values that the database currently uses for the MXE_SECURITY_CRYPTO_KEY and MXE_SECURITY_CRYPTOX_KEY encryption keys.
  2. Select one of the following options:
    • Specify values for the new MXE_SECURITY_CRYPTO_KEY and MXE_SECURITY_CRYPTOX_KEY encryption keys.
    • To use system-generated keys, do not specify values for the MXE_SECURITY_CRYPTO_KEY and MXE_SECURITY_CRYPTOX_KEY encryption keys.
 The database is reencrypted by using the new encryption keys.