Skip to content
English
Customer Portal
Click for Service Tickets
  • There are no suggestions because the search field is empty.

AES Encryption Quick Start

A quick start guide to adding AES encryption to your FairCom DB data

FairCom DB provides encryption for data at rest and in transit. For data at rest, it can optionally encrypt data, index, and log files. For data in transit, it can optionally encrypt all TCP/IP communications with the database.

Encryption Process

You can encrypt some or all data, index, and log files in a c-tree database. Each file can be encrypted separately using different encryption settings, such as different encryption ciphers and strengths. FairCom DB automatically generates a unique encryption key for each file it encrypts. It is called a File Encryption Key. It is stored in the file that it encrypts.

When you create an encrypted file or use the ctcmpcif utility to rebuild it with encryption enabled, FairCom DB uses a Master Password to encrypt the File Encryption Key, which it then stores inside the file. This increases security because each file is automatically encrypted with a different key. This simplifies key management because you can supply the Master Password once and FairCom DB can decrypt all encrypted files.

Before you enable encryption, you must first choose a Master Password and and use the ctcpvf utility to create a Master Password Verification file. This file does not contain the Master Password. It verifies the authenticity of the Master Password before the database attempts to use it to decrypt File Encryption Keys.

When you start the database it prompts you for the Master Password. Without the Master Password, FairCom DB cannot decrypt files that are encrypted.  

If you want the database to run automatically without prompting you for the Master Password, you can use the ctcpvf utility to create a Keystore File. This file stores an encrypted version of the Master Password that only FairCom DB can decrypt.  You must use OS file privileges to carefully protect the Keystore File.

Supported Encryption Algorithms

FairCom DB supports advanced AES data encryption in multiple bit strengths:

  • AES (Rijndael) - 128, 192 and 256 bit  -- ctAES16 ctAES24 ctAES32

It’s easiest to set up advanced encryption with a fresh server install. If this is not possible you need to shutdown FairCom DB and delete all  .FCS files including FAIRCOM.FCS.

Note: Deleting FAIRCOM.FCS results in loss of all FairCom DB users/passwords. This also resets the ADMIN account password to admin.

Enabling Advanced Encryption

Shut down the FairCom database, add ADVANCED_ENCRYPTION YES to the ctsrvr.cfg configuration file, and restart the database.

Key Management

Two keys are used in advanced encryption.

File Encryption Keys - The database generates a random encryption key to encrypt each data and index file during initial physical file creation. It is embedded in the file and remains the decryption key for the length of a file’s existence. 

Master Password - A single Master Password encrypts all File Encryption Keys. A Master Password is required when using any available encryption algorithm. This key can be rotated as needed by re-encrypting existing data encryption keys. File data is NOT re-encrypted when changing the master key, only File Encryption Keys are re-encrypted. Loss of the Master Password means that File Encryption Keys cannot be obtained and this prevents the database from decrypting data and index files. 

Keystore File

Once encrypted, the database requires the master key at server startup. There are two ways to provide the master key: (1) enter it upon database startup or (2) save an encrypted version of it into the Keystore file that only the database can open automatically upon startup. 

You use the utility called ctcpvf to create a Keystore file. It prompts a user for a master passphrase (maximum 64 characters), encrypts the master and saves and protects the generated password verification file ctsrvr.pvf. Loss of this file will prevent access to encrypted data. It can be regenerated with the identical prior master passphrase.

DO NOT LOSE OR FORGET YOUR MASTER PASSPHRASE. It is the sole key allowing access to any encrypted data.

By default, when advanced encryption is enabled FairCom DB Server prompts for this passphrase on every startup. Consider the Keystore option below to automate a startup sequence.

Keystore - Create a master key file using ctcpvf -s option. This creates a keystore file that can be used for automating server startup.  Add MASTER_KEY_FILE <keystore filename> to avoid entering the master password at each server start. 

Note: Your keystore file should be protected with the highest operating system permissions allowable with only the FairCom DB Server able to read this file.

The master key can be changed with the ctencrypt or ctadmn utilities. ALLOW_MASTER_KEY_CHANGE must be enabled to allow changing the master key via the Security() API.

Refer to the following pages regarding advanced encryption:

https://docs.faircom.com/doc/ctreeplus/#74296.htm

https://docs.faircom.com/doc/ctreeplus/#30280.htm

Start FairCom DB Server. If you deleted FAIRCOM.FCS remember to reset all users/passwords to prior values. Encryption and reading of encrypted data is transparent at this point.

File Encryption

Encryption is a per-file attribute. You can choose to encrypt or not encrypt files as they are first created. Once created, they maintain their assigned encryption properties. Different encryption options can be assigned to different files. Encryption is assigned to each physical file created under FairCom DB. (Remember, multiple indexes can reside in a single FairCom DB physical index file.)

Here is pseudo-code demonstrating file encryption:

ISAM file creation

SetEncryption(ctAES32,NULL,1);  // Enable encryption

CreateIFile(IFIL);

SetEncryption(ctAES32, NULL, 0); // Disable encryption

Refer to SetEncryption() API for available encryption algorithms. Note that SetEncryption() is called all files created from that point forward are created encrypted with the designated algorithm. To disable (or change) encrypted file creations call SetEncryption() as shown below (a keylen of 0 disabled encryption):

SetEncryption (NULL, NULL, 0);

SQL file creation

CREATE TABLE MYENCRDATA (ID INTEGER, NAME VARCHAR(100))
   STORAGE_ATTRIBUTES 'ENCR=AES32';

Refer to the SQL reference Storage Attributes page for available encryption methods.

Changing a File’s Encryption

Changing a file’s encryption key or cipher requires decrypting and re-encrypting all data in the file. You can use our compact utility, ctcmpcif, to rebuild a file. The utility has options to compact and re-encrypt a file as well as reassign serial numbers, change sector size, add Hot Alter Table support, repair damaged records, etc. Use the -encrypt=[cipher] option to change the file’s encryption cipher and to automatically generate a new File Encryption Key. The utility creates a copy of a file with the new features and when done, it automatically replaces the old file with the new. Before it starts, it acquires an exclusive lock on the file. This prevents the file from processing any transactions during the rebuild process. 

Remember to use the client-server version of ctcmpcif provided in \tools\cmdline\admin\client of your FairCom DB distribution.

Accessing Encrypted Data

Opening and reading of encrypted files is transparent and no further action is required to access your encrypted data once the correct master password phrase was used to start the FairCom DB database engine.

Transaction Logs

Database changes are written to transaction logs when transaction processing is enabled for those files. By default transaction logs are not encrypted and can remain temporarily on the filesystem in unencrypted form even when advanced encryption is enabled. Transaction logs are encrypted using AES 256 bit encryption when the LOG_ENCRYPT configuration option is set to YES. 

Note: When changing the master key, and transaction log encryption is enabled, you must also update encryption keys for any existing transaction logs with the ctencrypt utility.

Encryption in Transit over TCP/IP

FairCom Database Engine can encrypt all communications across TCP/IP. Refer to our documentation on Transport Layer Security for details for your client driver and API.

Core File Dump is Never Encrypted

While not expected, a segmentation fault in the operating system can do a core dump of memory. Further, sysadmin or user with process privileges can core dump the FairCom Database process. This data is outside the control of the database and cannot be encrypted. System administration precautions and standard physical access security procedures apply.