The requirements for managing and transporting crypto data depend upon the:

  • Type of cryptography — In ABL, this can include symmetric cryptography, message digests, and key generation.
  • Media for storage or transport — This can include static media, such as databases and external files and dynamic media, such as session memory and network connections.

One general requirement for managing encrypted or digested data is to be certain that all keys once generated, are recoverable. For example, if you use the GENERATE-RANDOM-KEY function to set a symmetric key and you use this function to directly set the SYMMETRIC-ENCRYPTION-KEY attribute of the SECURITY-POLICY system handle, the key value that you set is non-recoverable because the SYMMETRIC-ENCRYPTION-KEY attribute is write-only. If you encrypt data using this setting, you can never decrypt it after the ABL session in which you encrypt the data has ended. Therefore, to correctly use the GENERATE-RANDOM-KEY function for symmetric encryption, you must set and maintain the value of a readable variable using this function and then set the SYMMETRIC-ENCRYPTION-KEY attribute using this variable. Of course, you must also ensure that you immediately save the key value in a secure location and erase the value in memory in order to both secure your current ABL session and safely recover the key value at a later time to decrypt whatever data you have encrypted with it.