HCL Informix 14.10 - onkstore utility - Remote Key Store

Read my blog on Encryption At Rest (EAR) before this article

HCL Informix 14.10 has come up with a new utility called onkstore to generate the keystore (.p12) and stash file (.sth) for types such as

  • local
  • AWS_EAR
  • AWS_BAR
Type: local

This is provided to store the .p12 and .sth files locally and to have our backward compatibilty with earlier versions which were storing these files locally. These files were essential to perform the encryption of the data and eventually decrypt them when needed.

No connectivity to the external AWS site is needed to perform this however since the encryption key files are saved locally on the disk, there is a danger of loosing them and hence loosing the encrypted data that remains encrypted for ever and no way to decrypt them

Type: AWS_EAR

In order to avoid loosing of the encryption key, we have a new type called AWS_EAR to make sure the encryption key is saved safely and remotely so that can be accessed from amazon web-services, while the local files just contain the credentials to access the AWS to get the encryption key. 

Even when the locally saved files are lost, we can regenerate them with the credentials. These credentials no way indicate the encryption key. The encryption key is accessed and kept locally for this type at the boot time of HCL IDS 14.10 and subsequently use the local copy.

Type: AWS_BAR

This type specifically for the backup of the data. Each backup will have to generate a separate encryption key that is needed to decrypt the corresponding backup. HCL Informix does the envelop encryption to accomplish this by storing the encrypted encryption key (EEK) with in the backup itself. HCL Informix uses advanced algorithms to decrypt the EEK first with the help of some data from the AWS to get the encryption key and then decrypts the encrypted data. This way, each backup key could be different and is safely preserved along with the backup with out mixing up the encryption keys.

The introduction of onkstore utility has paved a way to come up with any number of types of remote key storage in future.

Comments

Post a Comment

Popular posts from this blog

Informix 14.10 - EAR - Encryption At Rest (Dbspaces and Backups) with multiple levels of ciphers

Disk Encryption - Operational Data Only Up to IDS 12.10 the encryption was allowed only on the operational data on the dbspaces that the server actively performing read/write operations. The Backup data are not encrypted although there is a provision to give control to the end-user to do it via BACKUP_FILTER and RESTORE_FILTER . IDS does not control any encryption that is done with this method and hence takes no responsibility if the encryption key is lost or due to some other reason the decryption becomes impossible. In order to encrypt the operational data, all needed is to configure the onconfig parameter DISK_ENCRYPTION . It uses keystore file ($INFORMIXDIR/etc/*.p12) and stash file ($INFORMIXDIR/etc/*.sth) to support the encryption. These files are created automatically in 12.10 when DISK_ENCRYPTION is configured. The keystore file is used to store the encryption key and stash file contains the password to open the keystore file where encryption key is stored.  Thes...
Read more

InfoSphere CDC (ISCDC) - FAQ

1. What is Latency in Change Data Capture? Latency information is normally for Mirroring subscription. As InfoSphere CDC measures latency as the amount of time that passes between when data changes on a source table and when it changes on the target table. For example, if an application inserts a row into the source table at 10:00 and CDC applies that row to the target able at 10:15, then the latency for the subscription is 15 minutes. 2. What is in-scope and out-of-scope tables in InfoSphere CDC terminology? The tables are inscope tables if they are replicated to the target by InfoSphere CDC. The tables are out-of-scope when those tables are not part of any replication. 3. How to ignore error that occurs during refresh/mirrorring? Prior 6.3 D_MIRROR_REFRESH_ERROR_STOP=OFF - refresh continues after an error has occurred. D_MIRROR_MIRROR_ERROR_STOP=OFF - mirroring continues after an error has occurred. Post 6.3 Set the following 2 system parameters via Management Console. mirror_end...
Read more