Getting Started

This section describes how to quickly configure Powertech Encryption for IBM i’s Symmetric Key Management settings and establish your first Data Encryption Key. These examples use commands; however, the same functions can be accessed using Powertech Encryption for IBM i's menu screens.

By the end of this section, you will know how to:

  1. Configure settings and keys. Use the CHGKEYPCY command to review and/or change the Key Policy settings. See Configuring Settings and Keys.
  2. Add and configure key officers. Use the WRKKEYOFR to indicate which users can create and manage keys. See Adding and Configuring Key Officers.
  3. Prepare and generate a Master Encryption Key. Use the LODMSTKEY command to prepare a Master Encryption Key (MEK) by loading the passphrase parts, then use the CRYPTO/SETMSTKEY command to generate the MEK using the Loaded Passphrase Parts. See Configuring Master Encryption Keys.
  4. Create a Key Store. Use the CRTKEYSTR command to create a Key Store to contain the Data Encryption Keys (DEK)). See Creating Key Stores.
  5. Create a Data Encryption Key. Use the CRTSYMKEY command to create a Data Encryption Key (DEK) and save it into the Key Store. See Creating a Data Encryption Key (DEK) and Saving it to the Key Store.
NOTE:
  • Commands also have online help text which can be accessed with the F1 key when a command is prompted.
  • Sign in with user that has *ALLOBJ authority.
  • To protect access to Powertech Encryption for IBM i using authorization lists, see Appendix E: Controlling Access using Authorization Lists.
  • A default key store cannot be added to the Key Policy until it is created, which must happen after setting a master key. When you create the key store, you have the option to make it the ‘default’ key store, which populates this value automatically.

Configuring Settings and Keys

The Key Policy allows an organization to control the environment settings for Powertech Encryption for IBM i’s Key Management System. These settings are encrypted with the Product Encryption Key (PEK) and are stored in the CRYPTO library by default.

Configuring Key Policy Settings

  1. Prompt command CHGKEYPCY with F4. The Change Key Policy (CHGKEYPCY) panel appears.
  2. Specify the policy settings for the Symmetric Key Management System. Consider the following recommendations:
    1. For ease of testing, set MEK Number of Passphrase parts to 1. In setting up a production environment, set MEK Number of Passphrase Parts to 2 or 3. This helps protect the security of the MEK (Master Encryption Key) since it can only be regenerated if all passphrase parts are entered.
    2. When setting up a production environment, set MEK Each Part by Unique User to *YES. (For testing, if only 1 passphrase is used, there is only one user). To protect the security of a MEK, you should require that each passphrase part is entered by a different user profile. Except in testing or extreme cases, a single user should not know all of the passphrase parts used to generate a MEK.
    3. Set default key store to *NONE. You will be able to indicate a key store is to be used as the default key store when you create the key store later in these steps. We suggest you use a default Key Store name, so the requester (i.e. the programmer or application) will not need to specify the name of the Key Store when requesting a DEK (Data Encryption Key) to use for encryption or decryption. This is not only a matter of convenience for the requester, but this can also help protect the known location of the default Key Store object.
    4. Set DEK can be Randomly Generated to *YES. DEKs should be randomly generated to provide the highest level of protection. A randomly generated DEK would be very difficult (virtually impossible) to recreate.
    5. Set DEK can be Passphrase Based to *NO. A passphrase-based DEK can be regenerated if the party knows the passphrase and algorithm used to generate the DEK. Therefore a passphrase-based DEK is not as secure as a randomly generated DEK. You should only allow passphrase-based generated DEKs if those DEKs need to be regenerated on other platforms.
    6. Set DEK can be Manually Entered to *NO. A manually-entered DEK value is the least secure since this DEK value could be used to decrypt data without using Powertech Encryption APIs and security mechanisms. You should only allow the manual entry of DEK values when needing to store/use DEKs which were generated on other platforms.
    7. Set DEK Values can be Retrieved to *NO or *KEK. If a DEK value is retrievable, then the DEK actual Key value could be used to decrypt data without using Powertech Encryption APIs and security mechanisms. This should only be allowed if the key values need to be shared with another computer system (which is not an IBM i) that needs to encrypt or decrypt data using the same key.
    8. In a test environment, set DEK Encrypt and Decrypt Usage by Owner to *YES. In a production environment, to provide separation of duties and to help protect the security of encrypted data, set these values to *NO. In production, the creator of a DEK should not be able to use the DEK to encrypt and decrypt data.
    9. Set DEK can be Deleted to *NO. The organization may have existing data which is encrypted with a DEK. The accidental deletion of a DEK may result in unrecoverable data.
    10. Set Limit all-object authority to *NO in your test environment for ease of testing. This allows all user profiles that have *ALLOBJ special authority to access key stores and authorization lists. In a production environment, set Limit all-object authority to *YES to enforce the use of object authority and authorization lists, to limit even *ALLOBJ profile users’ access to sensitive data.

You can also use the command line to quickly apply your settings:

EXAMPLE:
For a test environment:
CRYPTO/CHGKEYPCY MEKPRT(1) MEKUNQUSR(*YES) DEKRNDGEN(*YES) DEKPASBSD(*NO) DEKMANENT(*NO) DEKRTVVAL(*NO) DEKENCOWN(*YES) DEKDECOWN(*YES) DEKDLTALW(*NO) LMTALLOBJ(*YES)
EXAMPLE:
For a production environment:
CRYPTO/CHGKEYPCY MEKPRT(2) MEKUNQUSR(*YES) DEKRNDGEN(*YES) DEKPASBSD(*NO) DEKMANENT(*NO) DEKRTVVAL(*NO) DEKENCOWN(*NO) DEKDECOWN(*NO) DEKDLTALW(*NO) LMTALLOBJ(*YES)

Adding and Configuring Key Officers

Key Officers are those users that are authorized to create and manage Master Encryption Keys (MEKs), Key Stores, Data Encryption Keys (DEKs) and the Field Encryption Registry. 

NOTE: A user does not need to be a Key Officer to encrypt and decrypt data.

Adding Key Officers

  1. Submit the command CRYPTO/ADDKEYOFR. This opens the Add Key Officer (ADDKEYOFR) panel, where you can add a new key officer.
  2. Specify the new key officer's user profile and review/configure the remaining settings. See Work with Key Officers (WRKKEYOFR) panel for details.
  3. Press Enter to add the Key Officer.
NOTE: You can also use the following commands to work with Key Officers:

Configuring Master Encryption Keys

A Master Encryption Key (MEK) is an AES 256 bit Symmetric Key used to protect (encrypt) the Data Encryption Keys (DEKs) contained in a Key Store.  An organization can create up to 8 MEKs per environment on the IBM i, (though it is common to create and use just 1 MEK). For instance, an MEK could be created to encrypt the Order Entry DEKs contained in a Key Store, and a second MEK could be created to encrypt the Payroll DEKs contained in another Key Store.

An MEK is generated by Powertech Encryption for IBM i using passphrases entered by designated Key Officers. Depending on the organization’s key policy, up to 8 different passphrases can be required (by different users) in order to generate an MEK.

The Master Encryption Keys (MEK) are stored in a product-supplied validation list (*VLDL) object. The MEKs are encrypted with the Product Encryption Key (PEK).

NOTE: To display existing Master Key Attributes, see Display Master Key Attributes (DSPMSTKEY). You can clear an existing Master Encryption Key using Clear Master Encryption Key (CLRMSTKEY).

Master Encryption Key (MEK) Versions

Each MEK can have up to three versions which are named *NEW, *CURRENT and *OLD:

*NEW Version

The *NEW version of an MEK is the version in which passphrases are being entered (loaded) by users with the LODMSTKEY (Load Master Key) command. The *NEW version cannot be used to encrypt DEKs within Key Stores. In order to convert the *NEW version into the *CURRENT version, an authorized Key Officer must set the Master Key using the CRYPTO/SETMSTKEY command.

*CURRENT Version

The *CURRENT version of an MEK is the current version that can be associated with Key Stores. 

*OLD Version

The *OLD version of an MEK is the prior *CURRENT version of the MEK. The *OLD version cannot be associated with new Key Stores. However, DEKs in current Key Stores may still be encrypted under the *OLD version until they are translated (using the TRNKEYSTR command).

EXAMPLE: Once an *OLD version of an MEK exists, you must translate Key Stores using the *OLD MEK to use the *CURRENT version of the MEK. This must be done before you convert a *NEW MEK to the *CURRENT version.

Preparing a Master Encryption Key (MEK) by Loading the Passphrase Parts

  1. Submit the command LODMSTKEY.
  2. Configure the fields as needed. Enter the ID Number, MEK Passphrase Part, and Passphrase, as well as whether the passphrase will replace an existing passphrase for the part specified. See Load Master Encryption Key (LODMSTKEY) panel for the details and rules required for these fields.

    WARNING:
    The passphrase parts used to load a MEK should be recorded in a safe place (not on the IBM i). An MEK will not be usable if it’s copied or restored to another IBM i serial number. If you want to recreate the same MEK on another IBM i serial number (i.e. in a disaster recovery situation), these same passphrase parts will have to be re-entered (loaded) in the same order.

  1. Press Enter to load the Master Encryption Key.
NOTE: Maintenance of Master Encryption Keys is logged into an audit file.

You can also use the command line to quickly apply these settings. In a test environment, consider using a single passphrase to simplify your initial setup and testing:

EXAMPLE:
CRYPTO/LODMSTKEY MEKID(1) MEKPRT(1) PASSPHRASE(Passw0rd)

In a production environment, multiple passphrases are recommenced for enhanced security. Repeat the LODMSTKEY command for MEKPRT(2) to load all the required parts, per your Key Policy.

Generating the MEK using the Loaded Passphrase Parts

WARNING: The SETMSTKEY command will replace the *OLD version of the MEK with the *CURRENT version.  Before running this command, you should first use the TRNKEYSTR command to translate (re-encrypt) any DEKs in the Key Stores which are still encrypted with the *OLD version of the MEK.

After all of the required passphrase parts have been entered (loaded) for a MEK, the *CURRENT version of the MEK can be set with the SETMSTKEY command. To do so:

  1. Submit the command CRYPTO/SETMSTKEY.
  2. Indicate the id number of the Master Encryption Key (MEK) to set. See Set Master Encryption Key (SETMSTKEY) panel for details, including an explanation of the specific programmatic actions performed by the command.
  3. Press Enter.
NOTE: After running SETMSTKEY… If existing DEKs in Key Stores are encrypted with the MEK, then you should execute the TRNKEYSTR command to translate (re-encrypt) the DEKs in the Key Stores.

You can also use the command line to quickly apply these settings:

EXAMPLE:
CRYPTO/SETMSTKEY MEKID(1)

Creating Key Stores

Data Encryption Keys (DEK) are contained within Key Stores. An organization can create one or more Key Stores on the IBM i. For instance, one Key Store could be used to contain DEKs for protecting Order Entry data, and a second Key Store could be used to contain DEKs for protecting Payroll data.

Each Key Store is created as a Validation List (*VLDL) object on the IBM i. The name of the *VLDL object is specified on the CRTKEYSTR (Create Key Store) command. The DEKs contained in a Key Store are encrypted with a user-specified Master Encryption Key (MEK).

As mentioned above, when you create a key store, you can indicate that it will be set as the Default Key Store in your Key Policy. Use the SETDFT parameter to set your key store to be the default key store.

Creating a Key Store to contain the Data Encryption Keys (DEK)

  1. Submit the command CRTKEYSTR.
  2. Indicate the Key Store Name, Library, MIK ID, and other values. See Create Key Store (CRTKEYSTR) panel for more details.
  3. Press Enter to create the Key Store.

You can also use the command line to quickly apply these settings:

EXAMPLE:
CRYPTO/CRTKEYSTR KEYSTR(KEYSTORELIB/KEYSTORE) CRTLIB(*YES) MEKID(1) SETDFT(*YES)
NOTE: For information on managing Key Stores—for example, to translate, display, or delete a Key Store—see Working with Key Stores.

To control access using Authorization Lists, or by granting authority to a Key Store

The CRTKEYSTR command, by default, grants *PUBLIC access to the keystore as it is created. This allows all users access to the keystore. To control access to encrypting and decrypting data, specify Authorization Lists for Full and Masked access to data when you set up the Field or IFS encryption. Since a Key Store is created as a validation list (*VLDL) object on the IBM i, you can additionally control the authority to a Key Store by using IBM’s EDTOBJAUT (Edit Object Authority) command. See Editing the Authority on a Key Store.

NOTE: Setting the object authority on a Key Store will control which users can manage keys in the Key Store, as well as which users can utilize the keys within the Key Store for encrypting and decrypting data.

For a complete discussion regarding using Key Store Authority and Authorization Lists to control encryption and decryption, see Controlling Access to Decrypted Values.

Creating a Data Encryption Key (DEK) and Saving it into the Key Store

  1. Submit the command CRTSYMKEY.
  2. Indicate the Key Label The key will be created in the *DEFAULT key store if one was specified, or include the Key Store Name, and other values. See Create Symmetric Key (CRTSYMKEY) panel for more details.
  3. Press Enter to create the Symmetric Key.
EXAMPLE:
CRYPTO/CRTSYMKEY KEYLABEL(KEYLABEL)

Creating a Keystore Using two Default Passphrases

While a single passphrase may be appropriate for internal testing, in a production environment, multiple passphrases are recommended. For example, you can use the following procedure to create a new Keystore using the default two key passphrase.

The following requires two users with *ALLOBJ authority.

  1. Sign in with Profile1 user.

    CRYPTO/ADDKEYOFR USRPRF(<Profile1>) MNTPCYALR(*YES) MNTKEYOFR(*YES)
CRYPTO/LODMSTKEY MEKID(1) MEKPRT(1) PASSPHRASE(Passw0rd)
CRYPTO/ADDKEYOFR USRPRF(<Profile2>) MNTPCYALR(*YES) MNTKEYOFR(*YES)

  2. Sign in with Profile2 user

    CRYPTO/LODMSTKEY MEKID(1) MEKPRT(2) PASSPHRASE(Passw0rd2)
  3. Sign in with Profile1 user

    4. CRYPTO/SETMSTKEY MEKID(1)
CRYPTO/CRTKEYSTR KEYSTR(KEYSTORELIB/KEYSTORE) CRTLIB(*YES) MEKID(1)
CRYPTO/CRTSYMKEY KEYLABEL(KEYLABEL) KEYSTR(KEYSTORELIB/KEYSTORE)

Find Sensitive Database Fields

A menu is provided that allows you to find some database fields which may contain sensitive data, such as credit card numbers, social security numbers and Canadian social insurance numbers. To access this menu, execute the command:

GO CRYPTO/CRYPTO9

Encrypting Database Fields

After setting up a Data Encryption Key, database fields can then be encrypted using one or more of the following approaches:

  • To set up database field encryption quickly (using IBM’s Field Procedure functions) use the automated commands WRKLIBFILS (to select a file from a list in a library) or WRKFILFLDS (to work with all fields in a file).
  • To review existing database field encryption or to set up field encryption manually, use the WRKFLDENC (Work with Field Encryption Registry) command.

If you intend to write your own programs ILE procedures or SQL functions:

  • Call native ILE procedures or programs (APIs) to encrypt/decrypt data within applications *
  • Call SQL functions or stored procedures to encrypt/decrypt data using SQL *

* If needed, contact Powertech Support for the Programmers Guide.

Encrypting IFS Files

See the IFS Encryption Guide for information on encrypting IFS objects.

Encrypting Libraries, Objects, and Files

After setting up a Data Encryption Key, you can also use one of the following commands to encrypt IBM i libraries, objects and files to tape or disk:

  • ENCSAVLIB – For encrypting libraries
  • ENCSAVOBJ – For encrypting specific objects within a library
  • ENCSTMF – For encrypting IFS stream files

Create Security Alerts

Using the WRKCCALR command, you can optionally set up Security Alerts, which can send immediate notifications when security-related changes or authority errors occur in Powertech Encryption for IBM i.

Test vs. Production Environment

In setting your Key Policy for a test environment, earlier in these instructions, we suggested using a one part passphrase, allowing *ALLOBJ users to encrypt/decrypt data with no additional authorization, and allowing the key owner to encrypt and decrypt data. We recommend changing these settings to be more secure if you are changing your installation from a test environment to a production environment. If you LOAD and SET a new MEK to add new passphrases and unique users, be sure to translate existing key stores.