Database encryption overview

When you configure Maximo® Manage, specify encryption keys and encryption algorithms to determine how the fields that require security are encrypted.

Important: Save the encryption secret, which contains the encryption keys, after the Maximo Manage deployment is completed. The same keys are used for configuration when you reinstall Maximo Manage with the same database.
The following table describes the Crypto and CryptoX encryption keys for Maximo Manage:
Table 1. Encryption keys
Key Description
MXE_SECURITY_CRYPTO_KEY Use it to encrypt Crypto fields, such as passwords.

For Crypto encryption, if you specify a MXE_SECURITY_CRYPTO_KEY value that matches the MXE_SECURITY_OLD_CRYPTO_KEY value that was used in the previous deployment, no reencryption occurs.

If you specify a key value during deployment that does not match the MXE_SECURITY_OLD_CRYPTO_KEY value, the database is reencrypted.

MXE_SECURITY_OLD_CRYPTO_KEY Specifies the value for the previous Crypto encryption key that was used for the database.
MXE_SECURITY_CRYPTOX_KEY Used to encrypt CryptoX fields, including API keys, such as the electronic signature key.

For CryptoX encryption, if you specify a MXE_SECURITY_CRYPTOX_KEY value that matches the MXE_SECURITY_OLD_CRYPTOX_KEY value that was used in the previous deployment, no encryption changes occur.

CryptoX values cannot be decrypted, and the original value cannot be determined. If you specify a key value in a deployment that does not match the MXE_SECURITY_OLD_CRYPTOX_KEY value, CryptoX values are set to null when encryption is run.

MXE_SECURITY_OLD_CRYPTOX_KEY Specifies the value for the previous CryptoX encryption key that was used for the database.
The following encryption properties are also supported:
Table 2. Encryption properties
Encryption property Description
MXE_SECURITY_CRYPTO_ALGORITHM The default value is AES.
MXE_SECURITY_CRYPTO_MODE The default value is CBC.
MXE_SECURITY_CRYPTO_MODULUS  
MXE_SECURITY_CRYPTO_PADDING The default value is PKCS5Padding.
MXE_SECURITY_CRYPTO_SPEC The length must be a multiple of 8.
MXE_SECURITY_CRYPTOX_ALGORITHM The default value is AES.
MXE_SECURITY_CRYPTOX_MODE The default value is CBC.
MXE_SECURITY_CRYPTOX_MODULUS  
MXE_SECURITY_CRYPTOX_PADDING The default value is PKCS5Padding.
MXE_SECURITY_CRYPTOX_SPEC The length must be a multiple of 8.
Note: After the database is installed, only the Crypto and CryptoX encryption keys can be changed.
When you configure the database settings for deployment before you activate the application, you can add a value for the MXE_SECURITY_CRYPTO_KEY or MXE_SECURITY_CRYPTOX_KEY encryption keys. If you do not specify an encryption key secret in the Maximo Manage configuration when you activate, the system automatically generates keys. The system names the secret in the keys by using the following naming convention:
<workspaceId>-<appId>-encryptionsecret

For more information about how to specify the encryption secret in the Maximo Manage configuration, see Adding encryption key secrets .

Because your database functions only with valid encryption keys, implement the following practices:
  • Maintain your encryption keys in a vault or other secure management system for secrets.
  • Specify your own values for encryption keys instead of using system-generated values. If you use system-generated values and do not create a backup, you cannot retrieve the keys. Without the keys, you cannot use your database.