Function Reference > Functions > AES_GCM_ENCRYPT
  

AES_GCM_ENCRYPT

Returns binary ciphertext. Data Integration uses the Advanced Encryption Standard (AES) algorithm with the Galois/Counter Mode (GCM) of operation. The AES algorithm is a FIPS-approved cryptographic algorithm that uses 128, 192, or 256-bit keys.
Use this function to prevent sensitive data from being visible to everyone. For example, to store Social Security numbers in a database, use the AES_GCM_ENCRYPT function to encrypt the Social Security numbers to maintain confidentiality.
AES-GCM creates an authentication tag of 128 bits and appends it to encrypted ciphertext. Decryption verifies and removes the authentication tag. An authentication tag is a cryptographic checksum on data that reveals both accidental errors and the intentional modification of the data.
Note: The Validate button doesn't validate this function. Review the syntax and argument rules to ensure that the arguments are valid.

Syntax

AES_GCM_ENCRYPT ( value, init_vector, key [, keysize] )
Argument
Required/
Optional
Description
value
Required
String data type. The plaintext value to be encrypted into ciphertext.
init_vector
Required
String data type. Use the initialization vector (IV) to encrypt the plaintext. The IV must be 96-bit and randomly generated. The IV is a block of bits that is used along with the key during encryption to add randomness to the start of the encryption process.
Note: Do not re-use the IV with the same key and a different encryption string.
key
Required
String data type of size 128, 192, or 256 bits. If the size of the key is less than the keysize, the remainder is padded as null.
keysize
The size of the key argument, in bits, determines whether the keysize argument is optional or required.
  • - If the key argument size is <= 128 bits, then the keysize is optional.
  • - If the key argument size is > 128 bits and <= 192 bits, then the keysize is 192 bits, and required.
  • - If the key argument size is >192 and <=256 bits, then the keysize is 256 bits, and required.
Integer data type. Size of the key provided.
Possible values:128, 192, or 256 bits. Default value is 128 bits.

Return Value

Encrypted binary ciphertext.
NULL if the input is a null value.

Example

The following examples return encrypted values for a Social Security number. The init_vector and key values will be used later to decrypt the Social Security number.
In this example, the init_vector is 12 characters, or 96 bits; the key is 16 characters, or 128 bits; the keysize is optional because the key is the default value of 128 bits:
AES_GCM_ENCRYPT('832-17-1672', '012345678901', '1234567890123456', 128)
In this example, the init_vector is 12 characters, or 96 bits; the key is 17 characters, or 136 bits; the keysize is required. Because the size of the key is less than 192 bits, the key is padded with null characters:
AES_GCM_ENCRYPT('832-17-1672', '123456789012', '12345678901234567', 192)

Tip

If the target does not support binary data, use AES_GCM_ENCRYPT with the ENC_BASE64 function to store the data in a format that is compatible with the database.