FAQs on Encryption at Rest

FAQs on Encryption at Rest

What are symmetric keys?

A symmetric key or a secret key is an input to the encryption algorithm that helps produce a different output for different values provided at any given time. It is used for both encryption and decryption of data.

What is a database master key?
It is a symmetric key that protects the private keys of certificates and asymmetric keys in the database. The key is encrypted with either the Triple-DES or AES_256 algorithm and a user-provided password. You can create additional symmetric keys and certificates for data encryption only if the database master key is created.

What is the default algorithm used to encrypt the values in Postgres?

AES_256

What is the datatype of the encrypted columns in various databases?

Postgres: bytea

MSSQL: varbinary


What is ECTag? Can I change it?
It is the symmetric PGP (Pretty Good Privacy ) key used in Postgres to encrypt the data in password columns. The value of the ECTag is encrypted and stored in the product-config.xml file. Follow these steps to change it:
  1. Backup before invoking changeKey.bat. 
  2. Go to <SupportCenter_Plus_Home>\bin, invoke changeKey.bat followed by the new ECTag value.      
    changeKey.bat <ECTag value>
    The entire database will be decrypted using the old key and encrypted again with the given ECTag value.

Upgrade halted with the message "Master Key Not Created. The Key is not encrypted using the specified decryptor". How to proceed?

You cannot upgrade by using the existing database; please go through the following steps to upgrade: 

1. Back up your application.

2. Create a new database using /changeDBServer.bat or /changeDBServer.sh.

3. Start and stop the application once.

4. Restore your application into the new database.

How to troubleshoot encryption-related error codes?

How to open the database master key?

Open MSSQL Server Management Studio, right-click the database, and choose New Query
In the workspace, run the following query:
      OPEN MASTER KEY DECRYPTION BY PASSWORD='<MasterKey_password>';

How to check whether symmetric keys are present for a particular database?

Open MSSQL Server Management Studio, right-click the database, and choose New Query. 
In the workspace, run the following query:
        select * from sys.symmetric_keys;
The symmetric keys, if present, will be tabulated in the results.

How to check whether certificates are present for a particular database?

Open MSSQL Server Management Studio, right-click the database, and choose New Query
In the workspace, run the following query:
      select * from sys.certificates 
The result will tabulate the certificates if there are any.

How to create the master key password?

The user with dbcreator permissions can follow these steps to create the master key password:
Open MSSQL Server Management Studio, right-click the database, and choose New Query
In the workspace, run the following query:
      CREATE MASTER KEY ENCRYPTION BY PASSWORD='<new_Masterkey_password>';
The master key password must comply with the password policy of the MSSQL-installed machine. 

How to create an additional master key password?

The user with dbcreator permissions can follow these steps to change the master password:
  1. Open MSSQL Server Management Studio.
  2. Right-click the database and choose New Query.
  3. Run the following query: 
         ALTER MASTER KEY ADD ENCRYPTION BY PASSWORD='<new-master_key>';
The old master key password will still be functional. 

How to take backup of the master key password?

Open MSSQL Server Management Studio, right-click the database, and choose New Query
In the workspace, run the following query:
      BACKUP MASTER KEY TO FILE = 'path_to_file' ENCRYPTION BY PASSWORD = '<Masterkey_password>';

How to restore the master key password?

Open MSSQL Server Management Studio, right-click the database, and choose New Query
In the workspace, run the following query:
      RESTORE MASTER KEY FROM FILE = 'path_to_file' DECRYPTION BY PASSWORD = '<masterkey_password_of_backup_database>' ENCRYPTION BY PASSWORD = '<masterkey_password_of_restoring_database>';
The master key password will be restored to the database.

Why does the master key password fail during an upgrade? 

This can happen of the password doesn't comply with the password policy of the MSSQL-installed machine.

How to back up and restore the MSSQL database?

  1. In MSSQL Server Management, right-click the database to be backed up and go to Tasks>>Backup
  2. To restore the database, right-click it, and choose Restore DataBase.
  3. In the Restore Database dialog box, choose the device option and the backup file path, and click Ok.
If the System.Data.sqlClient.SqlError : The file 'filepath\*.mdf' cannot be overwritten. It is being used by database 'database_name'. (Microsoft.SqlServer.SmoExtended) error is displayed, then choose Files in the Restore Database dialog box. Go to the Restore As column, rename the *.mdf and *_log.ldf files, and click Ok to restore the database. 

    • Related Articles

    • Encryption at Rest

      SupportCenter Plus allows you to secure user data by encrypting columns in the database. For PGSQL database, pgcrypto, a cryptographic module of Postgres is used for encryption.  For MSSQL, master key, symmetric key, and certificate are used for ...
    • Rest API

      About REST API Application Programming Interface (API) is used to integrate various applications and facilitate sharing of data between them. The integration can be achieved with any third-party (external) applications or web services that are ...
    • Custom trigger - FAQs

      1. When does the $COMPLETE_V3_JSON_FILE file get created? Does it happen always? I can’t find it in the SCP MSP_Home\integration\custom_scripts\request\ folder. Yes, a file is created each time $COMPLETE_V3_JSON_FILE is passed as an argument to the ...
    • FAQs on OAuth Authentication for Mail Server

      Why should I move to OAuth2.0?  Google and Microsoft will soon withdraw basic authentication support for mail servers by February 2021 and October 2020, respectively. Therefore, it is advisable for users to switch to OAuth authentication. What are ...
    • Request- Additional Fields

      Based on your requirements, the default request record can be customized using different types of additional fields. This is useful to capture request-related additional information.   To configure additional fields:  1. Go to Admin>>Helpdesk ...