EaR will encypt the data on Informix dbspaces. If you try a "strings" command on a non-encrypted chunk you'll get the text it can find in there (names, addresses etc.). Not in a friendly format, but it means that anyone with some understanding of the Informix page format could extract the information.
But the database server will transparently unencrypt it when a client request is done (SELECT) and will encrypt it again on writing (each time a page is written (INSERTs,UPDATEs,DELETEs etc.).
That's why it's called "transparent" data encryption, because it can be put in place without any change in the way we interact with the database... result sets, backup images, any administrative interaction with the server etc. will not notice the data is encrypted.
Additionally, another feature allows us to encrypt the backup images. Nothing similar exists for dbexport.
All this is included... no extra cost. But if the requirement is to encrypt the data so that no one can see it without the key, then EaR is not the answer for that (assuming there is an answer that can be implemented.... but that's another story....)
------------------------------
FERNANDO NUNES
------------------------------
Original Message:
Sent: Fri October 25, 2019 09:23 AM
From: Sergio Peres
Subject: dbexport encrypted, how to?
Thanks for your reply Fernando,
I was wrong about funcionality, considering the data encryption I thought that as stated in the roadshow the data would be encrypted.
Your explanation help me to understand about the features.
Best regards,
SP
------------------------------
Sergio Peres
AIRC
Coimbra
Original Message:
Sent: Fri October 25, 2019 09:02 AM
From: FERNANDO NUNES
Subject: dbexport encrypted, how to?
Sounds like there is too much confusion about this topic.
Currently we can encrypt dbspaces and that's called Encryption ar Rest (EaR). Any tool that accesses the data will see the data as non-encrypted. The encryption is transparent to all applications. The purpose of this type of encryption it to help in compliance regulations (like GDPR) and to avoid data access outside the database interfaces (if someone tries to access the data using OS tools, or if a customer needs to dispose a system and is concerned with data protection etc.). Note that even the communication between the database server and the client is not encrypted by EaR (we can use SSL for that).
dbexport is just a database "client", so it will get the unencrypted data and will write it to disk. If there is a need to encrypt the data written by dbexport, then it can be done in several ways:
1- Native OS filesystem encryption
2- External file/filesystem encryption (using a tool like InfoSphere Guardium Data Encryption)
3- Manually using openssl tools, after the data is written
Someone suggested a pipe, but dbexport creates and writes to several files, so I don't know how a pipe could help.
Apart from this we can also encrypt the backup images made with the backup utilities (dbexport is not intended for backups)
Specifically for Sérgio, if you decide to use encryption at rest, that doesn't change anything for dbexport (data written by dbexport will be unencrypted)
If you need to encrypt the data written by dbexport, then consider one of the three methods above.
Regards.
------------------------------
FERNANDO NUNES
Original Message:
Sent: Fri October 25, 2019 07:19 AM
From: Eric Vercelletto
Subject: dbexport encrypted, how to?
HI Sergio,
the question would be why do you use dbexport for backup ? The theory says that dbexport is not considered as a backup tool for a number of reasons, including that it cannot be done as a hot backup.
Nowadays onbar with PSM is very easy to configure and use, it has a lot of advantages including backup encryption, point in time recovery and management of your backup media.
If you need to recover partial data ( i.e databases or tables) from onbar, this is where the archecker can help you: yes you will need to do a bit of scripting to do so, but far from difficult.
Maybe an interesting feature request to implement in HQ, i.e recover a table or a database from HQ ? ( @Gustavo C alias Mr Onbar)
Or do you have solid reasons not to use onbar ?
Cumprimentos
Eric
------------------------------
[eric] [Verceletto] []
[Founder]
[kandooerp.org]
[Pont l'Abbé] [France]
[+33 626 52 50 68]
Original Message:
Sent: Thu October 24, 2019 05:16 PM
From: Art Kagel
Subject: dbexport encrypted, how to?
Sergio:
The database exports created by dbexport are NOT encrypted, regardless of whether there is Encryption At Rest (EAR) enabled on the server or not! So, no "decryption" is needed.
Note that EAR encrypts the storage at the storage level and in flight between the server and storage. Once the data is in memory it is no longer encrypted so the data that dbexport, like all of the clients, sees is plain text.
Art
Art S. Kagel, President and Principal Consultant
ASK Database Management
Disclaimer: Please keep in mind that my own opinions are my own opinions and do not reflect on the IIUG, nor any other organization with which I am associated either explicitly, implicitly, or by inference. Neither do those opinions reflect those of other individuals affiliated with any entity with which I am affiliated nor those of the entities themselves.
Original Message------
Hi,
As I have seen over version 14.10 we can have encrypted databases, as on my backup scripts I use dbexport is it possible to decrypt on command? There are any option for that?
SP
------------------------------
Sergio Peres
AIRC
Coimbra
------------------------------
#Informix