Additional Encryption Information
This topic addresses additional information about InterSystems IRIS® data platform encryption.
Key File Encryption Information
Database encryption administrator names are stored in the clear in the key file. Database encryption administrator passwords are not stored; when entered, they are used, along with other data, to derive key-encryption keys. If someone can successfully guess a valid password, the password policy is too weak. Key-encryption keys are derived using the PBKDF2 algorithm with 512 bits of salt and 65,536 iterations, making dictionary and brute force attacks impractical.
About Calls to Perform Encryption, Hashing, and Other Key-Related Operations
InterSystems IRIS allows you to perform actions related to data encryption, Base64 encoding, hashing, and generating message authentication codes using various methods of the %SYSTEM.EncryptionOpens in a new tab class. It includes methods that invoke AES encryption, various RSA algorithms, SHA-256 hash functions, and more. Some of the calls include:
$System.Encryption.AESCBCManagedKeyEncryptOpens in a new tab and $System.Encryption.AESCBCManagedKeyDecryptOpens in a new tab
$System.Encryption.AESKeyWrapOpens in a new tab and $System.Encryption.AESKeyUnwrapOpens in a new tab
$System.Encryption.Base64EncodeOpens in a new tab and $System.Encryption.Base64DecodeOpens in a new tab
$System.Encryption.RSASHASignOpens in a new tab and $System.Encryption.RSASHAVerifyOpens in a new tab
$System.Encryption.RSAEncryptOpens in a new tab and $System.Encryption.RSADecryptOpens in a new tab
An Example of Using RSAEncrypt and RSADecrypt
Below is an example of using the RSAEncrypt and RSADecrypt calls. It assumes that:
The code is running on Windows.
There is an available certificate, private key, and certificate authority (CA) certificate. (To try this example, you will need to obtain these.)
All three of these items are in the C:\Keys\ directory.
See the comments within the example for more details of its operations.
set dir = "C:\Keys\" // certificate for the instance performing encryption and decryption // and private key associated with that above certificate set cert = dir_"test.crt" set key = dir_"test.key" // certificate for the CA of the instance set cacert=dir_"ca.crt" set data = "data to be encrypted" // create a local set of X.509 credentials with the // certificate and private key set credentials = ##class(%SYS.X509Credentials).%New() set credentials.Alias="TestCreds" write credentials.LoadCertificate(cert) write credentials.LoadPrivateKey(key) write credentials.Save(),! // encrypt the data using the public key in the certificate, write it // to the display, and display error information, if there is any set ciphertext=$System.Encryption.RSAEncrypt(data,credentials.Certificate,cacert) write ciphertext,! write $System.Encryption.RSASHA1GetLastError() // decrypt the data using the private key, write it to the display, // and display error information, if there is any write "now decrypting -=-=-=-=-=-=-=-=-=-=-",! set cleartext=$System.Encryption.RSADecrypt(ciphertext,credentials.PrivateKey) write cleartext,! write $System.Encryption.RSASHA1GetLastError()