9. Using Data at Rest Encryption : How to Compute the Width of Encrypted Data
Share this page                  
How to Compute the Width of Encrypted Data
Encrypted data takes up more room than unencrypted data for the following reasons:
1. AES is a block cipher that operates only on 16-byte chunks, so padding is often necessary.
2. At-rest encrypted data includes a 4-byte hash to validate decryption processing.
3. Adding SALT to guarantee the unique encryption of each row of an encrypted column adds 16-bytes of overhead.
The HELP TABLE command displays the physical width of encrypted columns in an encryption section (see Encryption Information Displayed with HELP TABLE) of the report.
Use the following algorithm to calculate the width of an encrypted column:
1. Start with the natural width of the column.
2. Add 1 for nullable columns.
3. Add 4 for the verification hash.
4. Round up to the nearest multiple of 16.
The goal of encryption is to make meaningful data appear to be a random series of bits until the encryption algorithm in combination with the encryption key is used to restore the data to its original state. One result is that encrypted data does not compress well, so Ingres does not compress encrypted columns.
Thus, the net effect on disk storage needs of encryption is a combination of the expansion of the encrypted rows for necessary overhead, and the loss of compressibility of the encrypted columns.
The AES_ENCRYPT function accepts as input a string of type VARBYTE and encrypts the entire string, including the 2-byte prefix that holds the VARBYTE length.
To compute the length of the encrypted output of the AES_ENCRYPT function, use the following algorithm:
1. Start with the length of the input as VARBYTE (that is, after casting to that data type if the original input is of another type).
2. Add 2 for the length prefix.
3. Round up to the nearest multiple of 16.
If you store AES_ENCRYPT encrypted data in a database table, be sure to allocate sufficient space for the full encrypted data length. Truncated encrypted data cannot be decrypted successfully.