Translate Field Encryption Key – Internal Storage (TRNFLDKEYI)

The Translate Field Encryption Key Internal (TRNFLDKEYI) command allows authorized users to translate (re-encrypt) field values to a new key.

NOTE:
  • TRNFLDKEYI can be used for *ACTIVE field entries which store the encrypted values in the existing database field (without using a DB2 Field Procedure).
  • It is recommended to submit this command to batch using the SBMJOB command.
  • TRNFLDKEYI will attempt to get an exclusive lock on the file, so no users or applications should be using the file at the time.
  • The execution time for TRNFLDKEYI depends on the number of records which it must translate (re-encrypt) to the new Key.

For each record found, TRNFLDKEYI will decrypt the value with the old key and re-encrypt the value using the new key specified.

The following users can use this command:

  • QSECOFR user profile (unless excluded in the Key Officer settings)
  • A user profile with *SECADM authority (unless excluded in the Key Officer settings)
  • A Key Officer whom has a *YES specified for the "Maintain Field Enc. Registry" authority setting

This command requires that you have *CHANGE authority to the CRVL002 Validation List (*VLDL) object which contains the Field Encryption Registry.

IMPORTANT: Before using the TRNFLDKEYI command to encrypt production data, do the following steps:
  1. Make sure you have *ALL authority to the database file containing the field to decrypt.
  2. Within a test environment, you should have tested TRNFLDKEYI.
  3. No applications or users should be currently using the database file containing the field to translate.
  4. The TRNFLDKEYI command will perform a mass re-encryption of the current field values. You should allocate enough downtime for the TRNFLDKEYI to execute. Execution times will vary depending on the processor speed of your system, the number of records in your database file, and other activity running on the system at the time. In order to estimate the execution time for TRNFLDKEYI, you should run the TRNFLDKEYI command over some test data first.

The TRNFLDKEYI command performs the following primary steps:

  1. Obtains an exclusive (*EXCL) lock on the database file containing the field to encrypt.
  2. Optional: Creates a backup of the database file (containing the field to encrypt) into a Save file named BACKUPxxxxx, where xxxxx is a sequential number from 1 to 99999.
  3. If triggers are used on the field, they are removed.
  4. Changes the status of the field to *PROCESS.
  5. Reads all records in the file and re-encrypts the field values to the new key entered.
  6. Changes the *CURRENT keys in the field registry to the new keys entered on the command.
  7. If triggers are used on the field, they are re-added.
  8. The exclusive lock will be released on the database file containing the encrypted field.
  9. The status of the field entry will be changed to *ACTIVE.

How to Get There

In the Field Keys Menu, choose option 4.

Options

Field identifier (FLDID)

Indicate the unique name of the field entry to translate the field key for.

Encryption key label (ENCKEYLBL)

Indicate the label of the Symmetric Key to use for encrypting the field values.

Encryption key store name (ENCKEYSTR)

Indicate the object name and library of the Key Store which contains the Symmetric Key to use for encryption of the field. The users (or user groups) which need to encrypt values will need to have at least *USE authority to this Key Store object.

The possible values are:

key-store-name Enter the name of the Key Store.
*DEFAULT Use the default Key Store name specified at the Key Policy level.

The possible library values are:

library-name Enter the name of the library where the Key Store is located.
*LIBL Locate the Key Store within the library list.
Decryption key label (DECKEYLBL)

Indicate the label of the Symmetric Key to use for decrypting the field values.

The possible values are:

decryption-key-label Indicate the label of the key to use for decryption.
WARNING: If specifying a different key label than the label specified for encryption, then that decryption key should contain the same key value as the encryption key.
*ENCKEYLBL Use the same label as specified on the ENCKEYLBL parameter.
Decryption key store name (DECKEYSTR)

Indicate the object name and library of the Key Store which contains the Symmetric Key to use for decryption of the field. The users (or user groups) that need access to the decrypted values will need to have at least *USE authority to this Key Store object.

The possible values are:

key-store-name Enter the name of the Key Store.
*ENCKEYSTR Use the same Key Store as specified on the ENCKEYSTR parameter.
*DEFAULT Use the default Key Store name specified at the Key Policy level.

The possible library values are:

library-name Enter the name of the library where the Key Store is located.
*LIBL Locate the Key Store within the library list.
Save database file (SAVDTA)

Indicate if the database file (containing the field to encrypt) should be saved (backed up) into a Save File before the translation process begins. It is highly recommended to save the database file for error recovery purposes.

The possible values are:

*YES Save the database file into a Save File before translation begins.
NOTE:
  • The created Save File will be named BACKUPxxxxx, where xxxxx is a sequential number from 1 to 99999.
  • Before using this option, ensure that enough disk space is available for a saved copy of the database file.
*NO Do not save the database file before the translation process begins.