SET ENCRYPTION PASSWORD

The SET ENCRYPTION PASSWORD statement sets the default password and hint that will be used by the encryption and decryption functions. The password is not associated with authentication and is only used for data encryption and decryption.

For information about using this statement, see ENCRYPT_AES, ENCRYPT_RC2, ENCRYPT_TDES, and DECRYPT_BIT, DECRYPT_BINARY, DECRYPT_CHAR and DECRYPT_DB.

Invocation

This statement can be embedded in an application program or issued interactively. It is an executable statement that can be dynamically prepared.

Authorization

Start of change If a global variable is referenced in the statement, the privileges held by the authorization ID of the statement must include at least one of the following:End of change

Start of change
  • For each global variable identified in the statement,
    • The READ privilege on the global variable, and
    • The system authority *EXECUTE on the library containing the global variable
  • Administrative authority
End of change

Syntax

Read syntax diagramSkip visual syntax diagram
                             .- = -.   
>>-SET--ENCRYPTION PASSWORD--+-----+---------------------------->

>--+-password-variable--------+--------------------------------->
   '-password-string-constant-'   

>--+--------------------------------------------+--------------><
   |            .-=-.                           |   
   '-WITH HINT--+---+--+-hint-variable--------+-'   
                       '-hint-string-constant-'     

Description

password-variable
Specifies a variable that contains an encryption password.

The variable:

  • Must be a CHAR, VARCHAR, Unicode GRAPHIC, or Unicode VARGRAPHIC variable. The actual length of the contents of the variable must be between 6 and 127 inclusive or must be an empty string. If an empty string is specified, the default encryption password is set to no value.
  • Must not be the null value.
  • All characters are case-sensitive and are not converted to uppercase characters.
password-string-constant
A character constant. The length of the constant must be between 6 and 127 inclusive or must be an empty string. If an empty string is specified, the default encryption password is set to no value. The literal form of the password is not allowed in static SQL or REXX.
WITH HINT
Indicates that a value is specified that will help data owners remember passwords (for example, 'Ocean' as a hint to remember 'Pacific'). If a hint value is specified, the hint is used as the default for encryption functions. The hint can subsequently be retrieved for an encrypted value using the GETHINT function. If this clause is not specified and a hint is not explicitly specified on the encryption function, no hint will be embedded in encrypted data result.
hint-variable
Specifies a variable that contains an encryption password hint.

The variable:

  • Must be a CHAR, VARCHAR, Unicode GRAPHIC, or Unicode VARGRAPHIC variable. The actual length of the contents of the variable must not be greater than 32. If an empty string is specified, the default encryption password hint is set to no value.
  • Must not be the null value.
  • All characters are case-sensitive and are not converted to uppercase characters.
hint-string-constant
A character constant. The length of the constant must not be greater than 32. If an empty string is specified, the default encryption password hint is set to no value.

Notes

Password protection: To prevent inadvertent access to the encryption password, do not specify password-string-constant in the source for a program, procedure, or function. Instead, use a variable.

When connected to a remote relational database, the specified password itself is sent "in the clear". That is, the password itself is not encrypted. To protect the password in these cases, consider using a communications encryption mechanism such as IPSEC (or SSL if connecting between IBM® i products).

Transaction considerations: The SET ENCRYPTION PASSWORD statement is not a committable operation. ROLLBACK has no effect on the default encryption password or default encryption password hint.

Initial encryption password value: The initial value of both the default encryption password and the default encryption password hint is the empty string ('').

Encryption password scope: The scope of the default encryption password and default encryption password hint is the activation group and connection.

Example

Set the ENCRYPTION PASSWORD to the value in :hv1.

SET ENCRYPTION PASSWORD :hv1