SET ENCRYPTION PASSWORD statement

Use the SET ENCRYPTION PASSWORD statement to define or reset a session password for the encryption and decryption of character, BLOB, or CLOB values.

Only OneDB supports this statement, which is an extension to the ANSI/ISO standard for SQL. You can use this statement with ESQL/C.

Syntax


1  SET ENCRYPTION PASSWORD 'password'
1  WITH HINT 'hint'
Element Description Restrictions Syntax
hint String that GETHINT returns from an encrypted argument (0 byte) < hint < (32 bytes). Do not include the password in the hint. Expression
password Password (or a multi-word phrase) for data encryption (6 bytes) < password < (120 bytes). Do not specify your login password. Expression

Usage

The SET ENCRYPTION PASSWORD statement declares a password to support data confidentiality through built-in functions that use the Triple-DES or AES algorithms for encryption and decryption. These functions enable the database to store sensitive data in an encrypted format that prevents anyone who cannot provide the secret password from viewing, copying, or modifying encrypted data.

The password is not stored as plain text in the database and is not accessible to the DBA. This security feature is independent of the Trusted Facility feature.

Important: By default, communication between client systems and HCL OneDB™ is in plain text. Unless the database is accessible only by a secure network, the DBA must enable the encryption communication support module (ENCCSM) to provide data encryption between the database server and any client system. Otherwise, an attacker might read the password and use it to access encrypted data.

If the network is not secure, all of the database servers in a distributed query need ENCCSM enabled, so that the password is not transmitted as plain text. For information about how to enable a communication support module (CSM), see your HCL OneDB Administrator's Guide.

Operations on encrypted data tend to be slower than corresponding operations on plain text data, but use of this feature has no effect on unencrypted data.

The SET ENCRYPTION PASSWORD statements can be prepared, and EXECUTE IMMEDIATE can process a prepared SET ENCRYPTION PASSWORD statement.