About Managed Key Encryption
InterSystems IRIS® data platform includes support for managed key encryption, a suite of technologies that protects data at rest. These technologies are:
Block-level database encryption, also known simply as database encryption — A set of administrative tools to allow creation and management of databases in which all the data is encrypted. Such databases are managed through the Management Portal.
Data-element encryption for applications, also known simply as data-element encryption — A programmatic interface that allows applications to include code for encrypting and decrypting individual data elements (such as particular class properties) as they are stored to and retrieved from disk.
Encryption key management, also known simply as key management — A set of tools for creating and managing the keys that are used to encrypt either databases or data elements.
Keys for encrypting either databases or data elements are known as data-encryption keys and may also be known simply as keys (when the context is clear). Each instance can simultaneously have up to 256 data-encryption keys activated for database encryption and up to four data-encryption keys activated for data-element encryption; activating a key makes it available for encryption and decryption operations.
Encryption keys can be stored in two ways:
On standard machines in key files
On dedicated hardware on which keys are accessible via the Key Management Interoperability Protocol (KMIP)
You can simultaneously use a key in a key file for database encryption and data-element encryption.
InterSystems IRIS uses AES (the Advanced Encryption Standard) to perform its encryption and decryption when an instance writes to or reads from disk. For databases, InterSystems IRIS writes and reads in fixed-length blocks, and the entire database is encrypted, except for the single label block; this encrypted content includes the data itself, indices, bitmaps, pointers, allocation maps, and incremental backup maps. For data elements, only the specified data is encrypted, and a unique identifier for the encryption key is included with the encrypted data on disk.
Encryption and decryption have been optimized, and their effects are both deterministic and small for any InterSystems IRIS platform. For information about how InterSystems IRIS database encryption affects facilities related to but separate from databases, see Encryption and Database-Related Facilities.