Database encryption is a process to convert data in the database to “cipher text” (unreadable text) using an algorithm. CS:Govern uses the database encryption inherent to its’ database to encrypt and decrypt the data designated as sensitive or confidential.  In order to accomplish this, an encryption key is generated and used to encrypt and decrypt the text.  CS:Govern leaves the choice of how the key is generated and where it is managed up to each client.  You can utilize CS:Govern’s built-in key generation and management capability or employ your own encryption key.  In order to employ your own encryption key, you must add your encryption key into CS:Govern’s encryption key management system.

The following section describes the steps necessary to add a custom encryption key to CS:Govern.

To add your own encryption key to CS:Govern’s Key Management System:

1. Review “Securing a CS:Govern Database“
2. Implement a key rotation policy
   1. The rotation policy should include a process that inserts the new encryption key (manually or programmatically)  into the CS:Govern GuardianKey table.
3. Login to the Database that is governed by CS:Govern as the owner of the encryption keys. The owner is the only one that should have access to the GuardianKey table.
4. Run or create a procedure that inserts the new key into the GuardianKey table. A sample script written for Microsoft SQL/Server is included below:

• algorithm–A descriptive name for the system that generated the key
• publicKey–the generated key
• privateKey–the generated key
• createdDate–current date and time
• modifiedDate–current date and time