Question & Answer
Question
What is the ENCRYPT_DATA_AT_REST feature and how do I enable it ?
Cause
New function provided in fixpack but with limited explanation of what it is.
Answer
This feature is introduced with Content Manager (CM) V85 fixpack 3 and enables the CM resource manager to encrypt the newly imported binary data that represents the document that is stored. With prior CM fixpacks and releases, administrators could utilize appropriate external viewers to display the binary objects stored in the underlying filesystem's lbosdata. They will no longer be able to do this with objects encrypted by this function. Previously archived objects will remain unencrypted, and therefore can still be viewed with an external viewer.
After CM v85 fp3 is installed and configured, the initialization of the icmrm application server will validate if the following records exist in the RMCONFIGURATION database table. If they do not, it will insert the records in the following order. Each will have a property value of "DO NOT REMOVE OR MODIFY, DATA LOSS MY RESULT".
USE_KEY_SIZE_BITS 313238 <<<< hex value for the default
128 representing the size in bits for the key to encrypt data a rest.
KEY_MATERIAL <<<< key for encrypting data at rest
ENCRYPTIONKEY_DATA_AT_REST <<<< key to generate the password
It will then update the existing ENCRYPTIONKEY_STR with the "DO NOT
REMOVE" and will encrypt the existing key.
The following record is not immediately inserted, but the parameter has
a default value of "FALSE" indicating that the resource manager does not
encrypt incoming data.
ENCRYPT_DATA_AT_REST
Using the CM system administrative client, the administrator can enable encryption by selecting the "Encrypt data at rest" checkbox on the Privacy page in the resource manager configuration. A record will then be inserted or the existing record will be updated in RMCONFIGURATION to reflect a value of "TRUE". Subsequent newly imported objects will then be encrypted.
Objects encrypted will have a value in the OBJ_SIGNATURE column of the RMOBJECTS database table. Null or empty string values (per apar IO23990) are assigned to objects that are not encrypted.
If this option is selected or enabled, but subsequently disabled, documents stored after that point will be unencrypted. Documents stored during the period in which the encryption was enabled can continue to be accessed and viewed when accessed through the CM resource manager, and as long as the RMCONFIGURATION records and values that were created in association with this feature still remain. These documents will remain encrypted and cannot be viewed with an external viewer.
Related Information
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21971288