Column Level and Cell Level Encryption

The encryption and decryption functions can support two ways of using data encryption features, namely column level and cell level encryption.

Column level encryption means that all values in a given column are encrypted with the same password (which can be a word or phrase), the same cipher, and the same cipher mode.
Users of this form of encryption should consider not using the hint feature of these functions, but instead store a mnemonic hint for remembering the password in some other location. Otherwise, the same hint will occupy disk space in every row that contains an encrypted value.
Cell level encryption means that within a column of encrypted data many different passwords (or different ciphers or cipher modes) are used.
This use of encryption is also called row-column level or set-column level encryption. Compared to column-level encryption, this makes the task of data management more complex, because if different passwords are required for decrypting different rows of the same table, it is not possible to write a single SELECT statement to fetch all the decrypted data. In some situations, however, individual users may need this technique to protect personal data.

To protect data security and confidentiality, the database server does not store information in the system catalog to indicate whether any table (or any column or row) includes encrypted data. Similarly, the logical logs of HCL OneDB™ do not record SET ENCRYPTION statements, nor calls to encryption or decryption functions. (The Trusted Facility feature for secure auditing, however, can use the 'STEP' audit-event mnemonic to record execution of the SET ENCRYPTION statement, and can use the 'CRPT' audit-event mnemonic to record successful or unsuccessful calls to DECRYPT_CHAR or DECRYPT_BINARY.)