Secure confidential information and satisfy compliance regulations easily.
Automatically encrypt database fields and columns using strong AES encryption in Crypto Complete
Database field encryption has traditionally been very difficult and time-consuming to implement on IBM i. In the past, major application changes would have to be made to expand database field sizes and implement complicated API calls to encrypt/decrypt data. In contrast, the design of Crypto Complete allows organizations to encrypt fields quickly and effectively using its intuitive screens and proven technology.
With Crypto Complete's innovative "Field Encryption Registry", you can simply indicate the database fields to encrypt within your database files. When a field is "activated" in the Registry, Crypto Complete will perform a mass encryption of the current values for that field. Crypto Complete can then automatically encrypt the field values on an ongoing basis as new database records are added and when existing field values are changed. The automated encryption function in Crypto Complete's Field Encryption Registry will eliminate the need to make changes to your application programs for data encryption.
If DB2 Field Procedures (available in IBM i V7R1) are utilized in Crypto Complete, the values can also be automatically decrypted without program changes. Otherwise, simple program changes can be made to decrypt values using Crypto Complete's APIs.
You can optionally modify your applications to encrypt data through program (API) calls to Crypto Complete's encryption procedures and programs. Crypto Complete also includes stored procedures and SQL functions, which can be called from within native applications or other external clients (i.e. graphical or web-based front ends) for encryption/decryption.
IBM i database fields can be protected in Crypto Complete using either AES and TDES encryption algorithms. Both of these algorithms follow standard (non-proprietary) specifications as published by the United States National Institute of Standards and Technology (NIST). AES and TDES are widely used for protecting highly sensitive data and complying with PCI DSS, HIPAA and State Privacy laws.
For AES encryption, you can choose between the key lengths of AES128, AES192 and AES256.
You can encrypt almost any IBM i DB2 database field with Crypto Complete. Field encryption examples:
- Credit card numbers (PAN)
- Social security numbers
- Bank account numbers
- Health-related information
- Financial data
Encrypted database fields are secured with Data Encryption Keys (DEK) which are managed through Crypto Complete's integrated Key Management system. Only authorized users will have the ability to decrypt data and gain access to the full or masked values. Decryption of any data can be fully audited in Crypto Complete, which will log the user id, date, time, job information and key utilized.
Encrypt and decrypt files and folders on the Integrated File System
IFS Encryption is provided in Crypto Complete to allow IBM i (iSeries) customers to encrypt and decrypt files and folders on the Integrated File System. All types of IFS stream files can be encrypted including text, PDF, JPG, TIF, CSV and XLS files. The encryption of IFS files can be completely automatic for designated folders or can be user-driven using Crypto Complete commands.
Strong AES encryption is utilized for protecting files on the IFS. AES follows standard (non-proprietary) specifications as published by the United States National Institute of Standards and Technology (NIST). You can choose between key lengths of AES128, AES192 and AES256.
The IBM i IFS encryption provided in Crypto Complete allows organizations to comply with PCI DSS requirements, state privacy laws and federal regulations such as HIPAA and Sarbanes-Oxley. Crypto Complete is a pure software solution requiring no additional hardware.
Automatic IFS Encryption
Crypto Complete can automate the encryption and decryption of files on the IFS. Through its innovative IFS encryption registry, authorized administrators can indicate which folders on the IFS should be encrypted. For each folder, you can indicate a unique encryption key for protecting the contents.
Once a folder is activated in the registry, Crypto Complete will automatically encrypt files as they are written to that IFS folder. For authorized users, files will be automatically decrypted as they are accessed from the folder. You can control user access to each encrypted folder through the use of IBM authorization lists. A folder can be granted access to individual users or groups of users.
Command-Driven IFS Encryption
Native IFS encryption/decryption commands are available in Crypto Complete, which can be easily integrated into existing IBM i applications and processes. Keys or passphrases can be used to protect the encrypted IFS files. Features include:
- Supports single file names and wildcards (e.g. *.pdf) to encrypt one or more IFS files at a time.
- Encrypted IFS files can be targeted to the IFS, a tape device and other physical and virtual backup devices.
- IFS encryption commands can be integrated quickly into existing processes.
- No intermediate save files are generated, saving disk space and time.
- Key labels can be stored in encrypted IFS files, so you don't have to remember which key to use on decryption.
- Only authorized users can be granted permissions to decrypt IFS files.
Crypto Complete's IFS encryption/decryption commands can be entered on the IBM i command line, placed in CL programs, incorporated in BRMS and used in job schedulers on the IBM i.
Example of command to encrypt IFS stream files:
Protect sensitive backup media
Crypto Complete offers native backup (tape) encryption for IBM i (iSeries) customers that wish to protect their sensitive backup media. This encryption is provided by commands in Crypto Complete which can encrypt and save entire libraries or individual objects. Symmetric keys or passphrases can be used to protect the encrypted backups.
AES encryption is implemented to provide strong protection for your backups. AES follows standard (non-proprietary) specifications as published by the United States National Institute of Standards and Technology (NIST). Crypto Complete supports key lengths of AES128, AES192 and AES256.
Additional benefits of Crypto Complete's backup encryption:
- Crypto Complete is a pure software solution requiring no additional hardware.
- Customers can utilize their existing tape devices.
- Encrypted backups can be targeted to a tape device, virtual backup devices and the IFS.
- Backup/restore commands can be integrated quickly into existing backup processes.
- Encrypt entire libraries or selected objects.
- No intermediate save files are generated, saving disk space and time.
- Includes an integrated key management system that resides on the IBM i.
- Key labels can be stored with encrypted backups, so you don't have to remember which key to use to decrypt/restore a backup.
- Disaster recovery is simplified since no special devices are required to restore.
Crypto Complete's backup and restore commands can be entered on the IBM i command line, placed in CL programs, incorporated in BRMS and used in job schedulers on the IBM i.
Backup encryption menu:
Example of command to encrypt and save libraries:
Native commands are also provided to restore/decrypt libraries, objects and IFS files which were saved using Crypto Complete's backup commands.