The MCAPISUPPORT library is used by DMSII for database encryption. There are two types of database encryption: Field Level Encryption (FLE) and Structure Level Encryption (SLE).
Compiling a DASDL that specifies that a field, structure, or whole database be encrypted causes DMSII to call the MCAPISUPPORT library to create a database encryption key set. There is one key set per database that uses encryption.
Existing databases can be transitioned to use database encryption by doing a re-organization.
The following two algorithms are provided for database encryption:
-
AES-GCM is the recommended algorithm.
-
AES-HMAC-SHA256 is an alternative algorithm, provided as a fallback in case AES-GCM should become insecure. This algorithm is slower than AES-GCM.
A key set consists of a master RSA key, and sixteen AES-256 keys. The sixteen AES-256 keys are used to encrypt fields in the database. The master RSA key is used to encrypt the stored AES-256 keys.
Refer to the Enterprise Database Server Utilities Operations Guide for more details.
