JADE Database Encryption Overview

Database encryption provides improved security of information held in the database. It makes it difficult to access the stored data except by means of approved access through the database engine.

An unauthorized user can examine the objects stored in an unencrypted database and obtain meaningful information using various file-editing tools, from as simple as Notepad through to a hex editor such as WinHex.

Backups of encrypted databases contain the encrypted data, so you do not require additional encryption to be reasonably confident that a misappropriated backup cannot be harvested for sensitive information without considerable effort and processing power.

The database has a mixture of encrypted and unencrypted files. The database administrator can choose which database map files to encrypt.

The default encryption algorithm used (that is, Advanced Encryption Standard (AES) with a 256-bit key) is provided by the Microsoft software stack (module CNG) and meets the requirements of United States Federal Information Processing Standards (FIPS) 140-2 level 2 certification.

Individual objects are decrypted when they arrive in the JADE Object Manager (JOM) from the database and are encrypted as they leave the JADE Object Manager for the database. The CPU time required for encryption and decryption is provided by the client node where the object is being used.

The database works solely with the encrypted copies of the objects. This saves database CPU time and also means that object images written to the journal and passed to and from client nodes do not require additional encryption.

Only the user-defined portion of each object is encrypted. The object record header, which contains fields such as the OID, is stored as plain text for use by the database engine. The encrypted database files also contain some plain-text records such as object index and freespace index blocks. These blocks have no user data.

Encryption is a two-step process.

An object-specific obfuscator is applied to the plain text, to break up repeated occurrences of the same character.
The encryption algorithm is applied, giving the cipher text to be stored.

Decryption reverses these two steps.

Each database map file has its own AES symmetric key, which is stored in the map file encrypted with the database master key. The master key:

Is a 4096-bit RSA public/private key pair.
Stored in the Microsoft persistent keystore independently from the database.
Has a unique name generated from information stored in the database control file.

The database cannot be started if the correct master key cannot be read from the keystore.

You can determine whether the database encryption master key is present and correct, by calling the System class verifyDbEncryptionMasterKey method.

The master key is exported as readable encrypted text to disk file. It is encrypted using a separately entered passphrase. The file is designed to be printed so that if the electronic version is lost, the text can be typed into a text editor and saved to disk. The exported master key is required if the database is run on another machine (for example, a Synchronized Database Service (SDS)) or when the persistent keystore of the database machine is lost and must be reconstructed.

If the database master key and all exported copies are lost, there is no way to recreate the key or to decrypt any encrypted database files.

Run the batch mode JADE Database Encryption utility jdbcrypt, to perform all database encryption-related functions. Most functions cannot be fully scripted, as they require entry of the master key passphrase using the keyboard.

You must run jdbcrypt from the same account as the database server so that the master key is stored in the correct account keystore.

We recommend that you run the database server under a non-system account.

When you enable database encryption, client-node authentication and authorization is also enabled. This requires a value to be specified in the SspiAuthServicePrincipalName parameter in the [JadeClient] section of the JADE initialization file on the client node. The simple form value for this entry is the account name used to run the database server.

The client node terminates with error 3574 if this parameter is not present. For more details, see "Service Principal Names", later in this chapter.

New files added to databases using the jadload or jadloadb Schema Load utility are unencrypted, by default. You can use the optional MandatoryFullEncryption argument in the EnableDatabaseEncryption action to prevent objects from being added to new files before they are encrypted.

Mandatory full encryption does not cause files to be automatically encrypted. No files are automatically encrypted.

New map files added to a database are always added as unencrypted, regardless of the setting of the optional MandatoryFullEncryption argument. Should these files require encryption or the MandatoryFullEncryption argument is set to true, the files must be manually encrypted using the JADE Database Encryption utility (jdbcrypt.exe).

When MandatoryFullEncryption is set to true, it requires that all map files are encrypted before any attempt is made to create new objects in any map file, or exception 3345 (DbCrypt Cannot create user objects in unencrypted files) is raised.

Situations in which a database may be partially encrypted and where MandatoryFullEncryption should be set to false are as follows.

Only certain map files contain data sensitive enough to require encryption
Map files that can be created by the user logic are unencrypted and as such, would be unable to create objects

For more details about database encryption, see the following subsections.