Change Field Encryption Key (CHGFLDKEY)

The CHGFLDKEY command allows authorized users to change (rotate) the keys used to encrypt and decrypt data for a field entry in the Encryption Registry. Up to 99,999 keys can be rotated for a field entry.

This command can be used for *INACTIVE field entries, as well as *ACTIVE field entries that store the encrypted field values in an external file.

The following users can use the CHGFLDKEY command:

QSECOFR user profile (unless excluded in the Key Officer settings)
A user profile with *SECADM authority (unless excluded in the Key Officer settings)
A Key Officer that has a *YES specified for the “Maintain Field Enc. Registry” authority setting

This command requires that you have *CHANGE authority to the CRVL002 Validation List (*VLDL) object, which contains the Field Encryption Registry.

Do the following steps to change the keys for a field entry in the Encryption Registry:

Prompt (F4) the command CRYPTO/CHGFLDKEY.
Press F1 on any parameter for complete online help text.
Press Enter after the parameter values are specified.

How to Get There

From the Field Keys Menu, choose option 2, Change Field Encryption Key. Or, in the Work with Field Encryption Registry (WRKFLDENC) panel, choose option 10 for an item. Or, execute the command CHGFLDKEY.

Options

Field identifier (FLDID)

Indicate the unique name of the field entry to change the keys for.

Encryption key label (ENCKEYLBL)

Indicate the label of the Symmetric Key to use for encrypting the field values.

Encryption key store name (ENCKEYSTR)

Indicate the object name and library of the Key Store which contains the Symmetric Key to use for encryption of the field.

The users (or user groups) which need to encrypt values will need to have at least *USE authority to this Key Store object.

The possible values are:

key-store-name Enter the name of the Key Store.

*DEFAULT Use the default Key Store name specified at the Key Policy level.

The possible library values are:

library-name Enter the name of the library where the Key Store is located.

*LIBL Locate the Key Store within the library list.

Decryption key label (DECKEYLBL)

Indicate the label of the Symmetric Key to use for decrypting the field values.

The possible values are:

decryption-key-label Indicate the label of the key to use for decryption.

WARNING: If specifying a different key label than the label specified for encryption, then that decryption key should contain the same key value as the encryption key.

*ENCKEYLBL Use the same label as specified on the ENCKEYLBL parameter.

Decryption key store name (DECKEYSTR)

Indicate the object name and library of the Key Store which contains the Symmetric Key to use for decryption of the field.

The users (or user groups) that need access to the decrypted values will need to have at least *USE authority to this Key Store object.

The possible values are:

key-store-name Enter the name of the Key Store.

*ENCKEYSTR Use the same Key Store as specified on the ENCKEYSTR parameter.

*DEFAULT Use the default Key Store name specified at the Key Policy level.

The possible library values are:

library-name Enter the name of the library where the Key Store is located.

*LIBL Locate the Key Store within the library list.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.0 | 202307100156 | July 2023