using IBMi FIELDPROC encrypt sensitive data
I wrote a data encryption routine a few years ago. In my ongoing mission to refactor my old utilities, I was looking at it this weekend thinking about ways to improve it. The basic premise behind my routine is to read a row of information from a file, perform encryption of said data based on a specific 'key' and then hide the key within the encrypted data - so it can be decrypted correctly at a later date. Keeps data safe from prying eyes even if they manage to get access to the file data itself. This worked very nicely for obfuscating the source code for my Projex4i programs, but has bitten me on a few occasions when somebody has tampered with the data in the file, therefore making my encryption key incorrect. Tampered data means I have effectively lost my ability to decode it.
There must be a better way right?
There is - FIELDPROC in IBM-i v7.1
What is Field Proc?
Fieldproc is a data encryption feature added to the IBMi operating system from version 7.1 onwards. It stands for FIELD PROCEDURES and allows encryption of a files data at field (column) level. It's an exit point routine that allow the operating system to encrypt data as its read and/or updated. So, not only are you relying on the operating systems inherent data authority to decide whether a specific reader can view the data - we now have another level of encryption that can say "you may be allow to view the data but are you allowed to actually see the data behind it?"
Take credit card information for example: Maybe we want to allow some user to see a credit card number in all its glory and some other can only see xxx-xxx-xxx-1234 for example. Think about the same solution for Social Security numbers?
Just another reason to bypass the 6.1 upgrade and jump straight to IBMI 7.1