Cipher Block Chaining (CBC) mode to replace Counter (CTR) mode in Assure Encryption FIELDPROC - Assure_Elevated_Authority_Manager_(EAM) - Assure_Encryption - Assure_Secure_File_Transfer - Required_for_All_Modules - Assure_Monitoring_and_Reporting_(AMR) - Assure_Security_Multi-Factor_Authentication_(MFA) - Assure_DB2_Data_Monitor_(DB2MON) - Assure_System_Access_Manager_(SAM) - Assure_Secure_File_Transfer_with_PGP - 7.0

Assure Security Release Notes

Product type
Software
Portfolio
Integrate
Product family
Assure
Product
Assure Security > Assure Elevated Authority Manager (EAM)
Assure Security > Assure Encryption
Assure Security > Assure Secure File Transfer
Assure Security > Required for All Modules
Assure Security > Assure Monitoring and Reporting (AMR)
Assure Security > Assure Security Multi-Factor Authentication (MFA)
Assure Security > Assure DB2 Data Monitor (DB2MON)
Assure Security > Assure System Access Manager (SAM)
Assure Security > Assure Secure File Transfer with PGP
Version
7.0
Language
English
Product name
Assure Security
Title
Assure Security Release Notes
Copyright
2025
First publish date
2019
Last updated
2025-01-08
Published on
2025-01-08T15:12:18.805000

The Counter (CTR) mode of AES encryption will be deprecated in Assure Encryption FIELDPROC in one year. It is recommended to use the Cipher Block Chaining (CBC) mode of AES encryption when creating a FIELDPROC definition. This is an enhanced encryption algorithm which provides stronger data protection.

You will need to end field encryption on existing fields and start field encryption using a new field procedure definition configured with the new encryption mode. The steps below outline how to change one encrypted field at a time.

  1. Determine which fields are encrypted. This can be done by filtering the Work with FieldProc Definitions screen using the Process Status filter value of ‘Encrypted’. The list can be printed by pressing F21=Print report.
  2. Determine which applications use the fields by reviewing file object locks (WRKOBJLCK) and stopping them in order to change the encryption key.
  3. Go to the Assure Encryption Configuration Menu (Go AEMNU2) to access the Work with FieldProc Definitions program (menu option 9).
  4. Define a new, pending status field procedure definition for the field, using the new field protection type AES-CBC.
  5. From a command line, type the following command:
    CHGFLDPRC CURDEFN(xxxxxxxxxx) 
              NEWDEFN(yyyyyyyyyy)  
              REPLACE(*YES) TGLMASK(*YES) TGLUSER(*YES)
    where: “xxxxxxxxxx” is the definition name for AES-CTR type encryption and “yyyyyyyyyy” is the newly created definition name for AES-CBC type encryption.
    Alternatively, if the file contains a large number of rows to be decrypted and re-encrypted, submit the following command:
    SBMJOB CMD(CHGFLDPRC CURDEFN(xxxxxxxxxx) 
                         NEWDEFN(yyyyyyyyyy)  
                         REPLACE(*YES) TGLMASK(*YES) TGLUSER(*YES)) 
                         JOB(CHGFLD2CBC) LOG(4 00 *SECLVL)
    Important note: If an AES user control is used to mask data, a dedicated user control must exist for the pair "PROFILE"/*ANY to unmask the data when the command CHGFLDPRC is issued by “PROFILE”. If this user control does not exist, the “Encryption start failed with SQLSTAT of 23507” error will occur.
    Choose the submission method to avoid locking your interactive session during the field encryption change. Running this command will change the current, encrypted field procedure definition to the new, pending field procedure definition.
    Note: During the key change, the file will be exclusively locked while all rows are decrypted and then re-encrypted using the new definition.
  6. You can use the Display File Field Description (DSPFFD) command to confirm that the data is again protected.
  7. Restart the applications related to the updated files.

For more information, refer to the Assure Encryption User Guide.

(SEC-17216)

Action required

To maximize the benefits of this enhanced security, we strongly encourage all our clients to update to this new feature as soon as feasible. It is essential to highlight that the previous encryption mode will be deprecated one year after the release of this update. While this timeline allows for a smooth transition, we urge you not to delay the update to ensure continuous protection.

Support and assistance

We understand that this transition may require technical adjustments on your part. Our team is on standby to provide comprehensive support and assistance throughout this process. Feel free to contact us for detailed guidance or if you need help at any stage of the update.

If you are interested in a more automated process, reach out to your Account Executive to discuss an “Encrypt While Active” solution.