Encryption Control
Database encryption is used to hide private information from people who gain direct access to the database (i.e., developers, Naviga Support analysts, and “hackers”—people other than Circulation users). When encrypted, private data is stored in separate tables and fields. When the database is accessed directly, private information is masked and is not discernible. This includes running Results reports/queries, custom programs and ad hoc queries—in all of these situations, the data will be masked.
Circulation users, on the other hand, will be able to see full private information because the Circulation interfaces decrypt it for display and printing.
Note: If you require access to private data from Results queries or custom programs you have developed, please contact Naviga Support for assistance.
The figure below shows the level of security that database encryption provides. Note that all private data will be visible by all Circulation users, unless you also use data masking.
The table below shows the fields that can be encrypted in the database.
| Field | Who it applies to | What is masked |
|---|---|---|
Social Security number | carrier/dealer | All but the last 4 digits |
Tax ID | carrier/dealer | All but the last 4 digits |
Bank number | carrier/dealer and subscriber | All but the last 2 digits |
Bank account number | carrier/dealer and subscriber | All but the last 4 digits |
Credit card number | carrier/dealer and subscriber | All but the first digit and last 4 digits |
Methods of Encryption
Circulation supports two different methods of encryption:
FFW uses FreeFrameWork’s “shingle” encryption. It is a symmetric encryption system that was specifically developed for the Progress 4GL environment. FFW uses a pass phrase and a private key that you define in Setup. Because encryption is done entirely within Progress, it is the faster of these two methods.
GPG (Gnu Privacy Guard) is a freely available encryption tool for secure communication and data storage that supports a number of industry standard encryption algorithms, both symmetric and asymmetric, of various strengths. Circulation uses the default symmetric encryption algorithm for your GPG installation.
Note: GPG is a standard feature of the Red Hat Linux platform. Circulation administrators who use other platforms may need to download and install GPG before setting up encryption. For more information about GPG, see GNUPG.ORG or contact your platform vendor or Naviga Technical Support.
Comparing FFW and GPG
The table below compares some key attributes of the FFW and GPG encryption methods.
| The encryption method: | FFW | GPG |
|---|---|---|
Requires additional software | no | yes, for non-Linux platforms |
Utilizes external tools | no | yes |
Encryption algorithm | proprietary | 3DES, CAST5, BLOWFISH*, AES, AES192, AES256, TWOFISH |
Throughput | 400-500k per hour** | 65-80k per hour** |
Keys utilized | private key and pass phrase | pass phrase |
* BLOWFISH is the default GPG symmetric encryption algorithm. ** Based on Newscycle’ testing on Linux and Solaris systems. Your results may vary depending on platform, operating system, system configuration and load, and other factors. |
|
|
Setting up Database Encryption
Follow the procedure below to set up database encryption.
Overall procedure to set up database encryption:
If you are going to use GPG, you must download and install it if it is not already installed on your system.
Set the Business Rule, Should private information such as credit card numbers and bank account info be encrypted when stored in the database? (General section), to “yes”.
Use the Encryption Control option (Setup | System | Security | Encryption Control) to define your encryption method, pass phrase, and other information. Private information entered through new starts, payments, and other transactions will automatically be encrypted once an encryption control record is set up. See below.
Like security masking, encryption is not enabled by default: you must set it up using this procedure before data will be encrypted.
Other Database Encryption Options
Two other menu options in Circulation are related to encryption:
Encrypt Private Info is used to encrypt private information that already exists in the database. After setting up an encryption control record, use this option to encrypt your existing data. See Encrypt Private Info for more information.
Decrypt Private Info is used to decrypt information in the database that has been encrypted. For example, you may need to use this feature for testing (to compare pre-encryption and post-encryption data), exporting data (e.g., to move carrier tax information from Circulation to an external AR system), or when changing encryption methods (e.g., going from FFW to GPG). See Decrypt Private Info for more information.
Encryption Control Setup
Encryption Control setup determines the encryption method to be used, as well as the private key and pass phrase to be used in database encryption. If you use GPG, you must also enter the location of the encrypting program executable file. We highly recommend limiting access to this option to a few users via menu security.
To define encryption settings:
Select Encryption Control from the Setup | System | Security menu. The Encryption Control screen displays.
Click the Add icon and enter encryption information in the fields described in the table below.
Field Type What to enter CONTROL ID
integer (8)
Specify a numeric ID for this encryption record, or keep the default.
START DATE END DATE
date
Enter the date range during which this encryption information should be used. Note that you may only have one Encryption Control record with a blank end date (i.e. one active record). Also, if there are previous records, the start date must be one day after the end date of the last record, and two records may not overlap date ranges.
ENCRYPTION METHOD
predefined
Indicate whether the FFW (FreeFrameWork) or GPG (Gnu Privacy Guard) encryption method should be used.
PUBLIC KEY
—
This field is not currently implemented.
PRIVATE KEY
open (50)
If using the FFW encryption method, enter an alpha-numeric character string that should be used as a private key. The private key has a role in encrypting/decrypting the data, and is also used to verify that the encrypted data has not been corrupted.
PASS PHRASE
open (50)
Enter the pass phrase, similar to a password, that should be used to encrypt/decrypt information. The pass phrase is required for both encryption methods. Note the private key and the pass phrase will be themselves stored in encrypted form (a separate, hard coded pass phrase will be used by the system to access them).
EXTERNAL EXE, TEMP DIRECTORY
open (50)
If the encryption method is “GPG”, enter the path and name of the executable program that runs the encryption and the temp directory where encryption-related files should be written. Note: These fields do not apply to FFW encryption.
Click the OK button to add the encryption control, or click Add Another to accept the record and add another encryption control.
Last updated
