ENCRYPT_CIPHERS configuration parameter

Use the ENCRYPT_CIPHERS configuration parameter to define all ciphers and modes that can be used by the current database session. ENCRYPT_CIPHERS is used for Enterprise Replication and High-Availability Data Replication only.

onconfig.std value
Not set. Encryption ciphers are not used.
values
See the Usage section.
takes effect
After you edit your onconfig file and restart the database server.

Usage

The encryption cipher and mode used is randomly chosen among the ciphers common between the two servers. If a specific cipher is discovered to have a weakness, you should reset the ENCRYPT_CIPHERS configuration parameter value to eliminate that cipher by using the allbut option.

Important: Including all ciphers is more secure than including specific ciphers.
Read syntax diagramSkip visual syntax diagram
Syntax for the ENCRYPT_CIPHERS configuration parameter

>>-ENCRYPT_CIPHERS--+-all-----------------------------+--------><
                    |               .-,----------.    |   
                    |               V            |    |   
                    +-allbut--:--<----+-cipher-+-+-->-+   
                    |                 '-mode---'      |   
                    | .-,---------------.             |   
                    | V                 |             |   
                    '---cipher--:--mode-+-------------'   

Table 1. Options for the ENCRYPT_CIPHERS configuration parameter value
Field Description
all Include all available ciphers and modes, except ECB mode, which is considered weak.

For example: ENCRYPT_CIPHERS all

allbut Include all ciphers and modes, except ECB and the ciphers and modes listed.

For example: ENCRYPT_CIPHERS allbut:<cbc,bf>

The cipher list can include unique, abbreviated entries. For example, bf can represent bf-1, bf-2, and bf-3; however, if the abbreviation is the name of an actual cipher, then only that cipher is eliminated. Therefore, des eliminates only the des cipher, but de eliminates the des, des3, and desx ciphers.

cipher The following ciphers are supported:
  • des = DES (64-bit key)
  • des3 = Triple DES
  • desx = Extended DES (128-bit key). Only supports cbc mode.
  • aes = AES 128bit key
  • aes192 = AES 192bit key
  • bf-1 = Blow Fish (64-bit key)
  • bf-2 = Blow Fish (128-bit key)
  • bf-3 = Blow Fish (192-bit key)
  • aes128 = AES 128bit key
  • aes256 = AES 256bit key

All modes are supported for all ciphers, except the desx cipher.

For an updated list of supported ciphers, see the Release Notes.

mode The following modes are supported:
  • ecb = Electronic Code Book (ECB). Only included if specified.
  • cbc = Cipher Block Chaining
  • cfb = Cipher Feedback
  • ofb = Output Feedback

Copyright© 2019 HCL Technologies Limited