Understanding Encryption Policies
In order to use MyDiamo, it is necessary to understand the concept of encryption policies. Before encrypting a column, a policy must be created which will then be used to apply the desired settings when encrypting columns.
Listed below are the basic components of an encryption policy. You can configure partial encryption using options.
- Policy ID
- Encryption Algorithm
- Initial Vector Mode
- Column Key (Block Mode)
When encrypting a column, the Policy ID of the policy that will be used to carry out the encryption must first be entered. A single policy can be used for encryption of multiple columns, but one column can be encrypted by only one policy. Columns encrypted by the same policy have the same Column Keys.
However, because Column Keys are randomly generated, deleting a policy and creating a new one even with the exact same settings would generate a different Column Key from that of the old policy.
For this reason, if there is at least one encrypted column associated with a policy you wish to delete, the CLI will reject the policy deletion and present an error message. Also, Column Keys cannot be recreated identically, so it is important to be careful not to delete secure files.
Policy information is saved in policy.damo among the secure files. If this file is mistakenly deleted, encrypted data cannot be decrypted. We recommend DB managers to be extremely cautious about this file and make backups on regular basis.