Set encryption key information

UTIL.ENCRYPT (function to encrypt data) and UTIL.DECRYPT (function to decrypt encrypted data) can be used to encrypt or decrypt data.

Encryption keys (passwords required for encryption and decryption) should be created and managed by users themselves using the management functions described below.

Important

The 'Encryption key file' created here is literally the 'Key' to the encryption function and is sensitive and confidential information. Please read the following article carefully before use.

• Administrator privileges are required to set the encryption key.
• The encryption key setting is necessary for the proper operation of an application that uses encryption functions and decryption functions. It must be set so that it can be referenced by the app developer as well as by the user.
• The encryption algorithm applied in the encryption and decryption functions is 'AES-256'.
• Encrypted data cannot be decrypted without the encryption key.
• The 'Encryption key file' must be managed strictly with access control, etc.

Attention

When creating an encryption key, the message "CryptAcquireContext (Encryption) Failed: Access Denied. (5)" error may appear.

In this case, you need to grant "special permissions" to the Everyone group in the C:/ProgramData/Microsoft/Crypto/RSA/MachineKeys folder.

To grant "special permissions", execute the following command (Run with administrative privileges, if necessary.)

icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /inheritance:e /grant Everyone:(RD,RA,REA,WD,AD,WA,WEA,RC)

See also

• See UTIL.ENCRYPT (function to encrypt data) for an example of encryption function usage.
• See UTIL.DECRYPT (function to decrypt encrypted data) for an example of decryption function usage.

Create encryption key

Create an encryption key file, which is the key needed to encrypt or decrypt the encrypted data.

1. Open the 'System' tab on the Manage page.
2. Click the 'Create' button under 'Encryption Key.'

3. In the 'Creating encryption key' dialog, click the 'Create' button to create the encryption key file. Save the file in an arbitrary location when the "Save as" dialog is displayed.

There are two ways to create an encryption key file.

1. Create an encryption key file with a random password (default)
2. Create an encryption key file with any password (optional)

Default creation creates an encryption key file with a random password.

You can also check the 'Create encryption key with any password' check button and enter any password to create an encryption key file. Passwords are case sensitive.

Attention

• By default, an encryption key file is created with a random password. Since it is not possible to create an encryption key file with the same password again, please be careful not to lose it.
• In contrast, if an encryption key file is created with an optional optional optional password, the same encryption key file can be created again with the same password. Therefore, the password you enter must be strictly controlled.
• If the encryption key is leaked, a third party may be able to decrypt the data. Please keep the encryption key file you have created under strict control. If a leak is suspected, the data can be re-encrypted with a new encryption key. See Replace encrypted table data.

Register encryption key information

Set up the created encryption key file for use in the encryption or decryption function.

Click the 'Set' button under 'Encryption key' to set and register the 'Encryption key name' and 'Key location'.

The encryption key file can be used by placing the encryption key file at the registered 'Key location' and specifying the 'Encryption key name' as an argument in the encryption or decryption function.

1. Open the 'System' tab on the Manage page.
2. Click the 'Set' button under 'Encryption key.'

3. In the "Setting encryption key" dialog, click the "Add encryption key" button to open the "Add encryption key" dialog.

4. In the "Add encryption key" dialog, set the "Encryption key name" and "Key location" and click the "Add" button.

[1] Encryption key name (required)

Specify a unique name that identifies the encryption key (case-insensitive).

The encryption key name set here is used as the argument for the encryption or decryption function.

[2] Key location (required)

Specify the location where you want to place the encryption key file you have created, either by specifying a web server URL or by specifying a local file path.

Reads the encryption key file at the key location set when the encryption or decryption function is executed.

You can also set the local file path by selecting the encryption key file with the '…' button to select the encryption key file can also be set.

[3] Description (optional)

Set the encryption key description.

[4] 'Register this encryption key as the default key' check button

If this check button is enabled, it will be registered as the encryption key name 'default' and will be treated as the default key.

When using the default key, the encryption key name specified in the encryption or decryption function can be omitted.

5. Confirm that the target information has been added to the "Setting encryption key" dialog, and click the 'Register' button.

   

Hint

The registered encryption key information is immediately reflected for the user who set it, but for other users who are currently logged in, the information is reflected when they log in again.

Attention

• The information in the encryption key file is not maintained in the CELF database and cannot be decrypted, even by the CELF service provider.
• The registered encryption key name must be notified to the app developer.
• If you have set the URL of your web server as the location of the encryption key file, we recommend that you apply appropriate access controls.
• If you set a local file path as the deployment location for the encryption key file, distribute the encryption key file to developers and users and notify them of the deployment location. The distributed encryption key file must be placed in the same path as the deployment location.
• The encryption key file should be distributed only to the PC of the user who is authorized to decrypt it, or placed in a path accessible only to authorized users.

Edit encryption key information

Edit the registered encryption key information.

1. In the 'Setting encryption key' dialog, click the 'Edit' button of the record of the registered encryption key information to open the 'Editing encryption key' dialog.

2. In the 'Editing encryption key' dialog, you can edit the 'Key location' and 'Description'. When edited, click the 'Update' button.

3. Confirm that the 'Setting encryption key' dialog reflects the edited information and click the 'Register' button.

Hint

The edited encryption key information is reflected immediately for the user who set it, but for other logged-in users, it is reflected when they log in again.

Attention

If the deployment location is set to a local file path, the encryption or decryption function will fail because the encryption key file cannot be read for any of the following deployment location changes.

Please notify developers and users of the new location or redistribute the encryption key file as necessary.

• The location of the encryption key file with the same contents as the previously used encryption key file has been changed.
• The file name of the encryption key file with the same contents as the previously used encryption key file was changed.

Attention

Any change in key location that applies to the following will result in existing encrypted data not being decrypted:

• The encryption key file with different contents from the previously used encryption key file is set to the deployment location.

If you renew the encryption key file, you will not be able to decrypt the existing encrypted data. If you have stored the encrypted data in database tables, you will need to replace the data as necessary.

Therefore, please plan ahead and be careful when editing encryption keys.

See also

• See Replace encrypted table data for instructions on replacing encrypted data.

Delete encryption key information

Delete registered encryption key information.

1. In the 'Setting encryption key' dialog, click the 'Delete' button for the record of the registered encryption key information.

2. A confirmation dialog will be displayed. Check the message and click the "OK" button.

3. Confirm that the target information has been deleted from the 'Setting encryption key' dialog, and click the 'Register' button.

Hint

Deleted encryption key information is immediately reflected for the user who set it, but for other logged-in users, it is reflected when they log in again.

Attention

• By deleting the encryption key information, the encryption key file cannot be read during the encryption or decryption function processing that referred to this encryption key information, and the function will fail.
• We recommend that you do not delete any encryption key information that is in use.
• Please plan ahead when deleting encryption key information, and if you have stored encryption data in database tables, please do so carefully after replacing the existing data.

See also

• See Replace encrypted table data for instructions on replacing encrypted data.

Related keywords

cryptography, encryption, decryption, security, AES, database, function, key, algorithm, leak, security measure