To use table column encryption, use the CREATE TABLE statement to encrypt column values and define the encryption passphrase. To enable access to the table, use the MODIFY statement.

When you create a table with encryption, it automatically unlocks the table as if you had issued the MODIFY...ENCRYPT WITH PASSPHRASE= statement, so you can insert data into the new table without having to issue the MODIFY to access it.

If you don’t want to allow access to the new table immediately, you must issue the MODIFY tablename ENCRYPT WITH PASSPHRASE = ' ' to disable access to the table.

The following example creates an encrypted table, enables access to it (although access is already enabled), inserts rows, and then selects them:

SELECT * FROM socsec1;

The following results are returned:

The encryption is transparent to the application (in this case, the SQL terminal monitor), as shown by the plain text values in the socsec column.

The SET TRACE POINT DM805 statement sends a dump of encrypted buffers immediately after the encryption processing to II_DBMS_LOG. Trace point DM806 sends a dump of encrypted buffers immediately before decryption processing. The log shows the values that are stored for the social security numbers:

Table column encryption by default includes in the stored value a salt (see “Understanding Salt”) and a verifying hash, in addition to the user data itself. In the above example, there is no salt as the option NOSALT is specified in the CREATE TABLE statement.