This installment of APIs by Example focuses on the tools required to create and remove data encryption keys: the Create Data Encryption Key (CRTDTAK) and Remove Data Encryption Key (RMVDTAK) commands, respectively. As its name suggests, the data encryption key is the cipher key used to perform the actual encryption of the cleartext string to be encrypted.
In the next installment of this series, I will show you how to use functions (which I’ll be providing) to successfully complete the cleartext encryption and ciphertext decryption process, using a data encryption key.
For now, I’ll continue with a very important warning concerning data encryption keys: Removing or destroying a data encryption key removes your access to the data encrypted with it as well. Consequently, if you cannot restore the data encryption key, you cannot restore your access to the encrypted data, if any. A secure backup policy for the key store is therefore mandatory.