Interesting, dm_crypto_create utility is able to create AES128, AES192 and AES256 encryption keys, note -algorithm argument:
[dmadmin@docu72dev01 ~]$ dm_crypto_create --help Option --help has no meaning !! Usage: dm_crypto_db_create [-lockbox <lockbox>] [-lockboxpassphrase [lockboxpassphrase]] [-keyname <keyname>] [-location <location>] [-passphrase [passphrase]] [-noprompt] [-move] [-check] [-algorithm] [-help] -lockbox - Optional lockbox to store administration key. -lockboxpassphrase - Passphrase for the lockbox. Should be specified for a new lockbox. -keyname - Optional name of the administration key to be stored in lockbox. -location - Optional location of the administration key file. -passphrase - Optional passphrase to protect the administration key. If not specified a default passphrase will be used. -move - Optional argument to move existing key into lockbox. -check - Optional argument to check for an existing administration key at the specified location. -algorithm - Optional argument to specify the algorithm used for generating key. Valid values are AES_128_CBC, AES_192_CBC and AES_256_CBC. -noprompt - Optional flag to not prompt for default passphrase confirmation. -help - Print this help/usage information. ** If -location is not specified, environment variable DM_CRYPTO_FILE or DOCUMENTUM will be used to determine the location. ** -passphrase and -noprompt options are exclusive. ** It is suggested that you specify a passphrase **
but DFC recognises AES128 keys only – AES256 fails with “PBKDF2WithHmacSHA256 SecretKeyFactory not available” error (this factory is available since Java8 only):
~]$ dm_crypto_create -location /tmp/aek.key -noprompt -algorithm AES_256_CBC ** Will use default passphrase ** Please wait. This will take a few seconds ... ** Successfully created key store /tmp/aek.key using algorithm AES_256_CBC [dmadmin@docu72dev01 ~]$ iapi DCTM_DEV Please enter a user (dmadmin): Please enter password for dmadmin: EMC Documentum iapi - Interactive API interface (c) Copyright EMC Corp., 1992 - 2015 All rights reserved. Client Library Release 7.2.0030.0072 Connecting to Server using docbase DCTM_DEV [DM_SESSION_I_SESSION_START]info: "Session 01024be98000746a started for user dmadmin." Connected to Documentum Server running Release 7.2.0030.0195 Linux64.Oracle Session id is s0 API> initcrypto,c,/tmp/aek.key ... Unexpected problem with key generation: PBKDF2WithHmacSHA256 SecretKeyFactory not available API>
AES192 fails with “Unsupported algorithm ID: 4” error:
~]$ dm_crypto_create -location /tmp/aek.key -noprompt -algorithm AES_192_CBC ** Will use default passphrase ** Please wait. This will take a few seconds ... ** Successfully created key store /tmp/aek.key using algorithm AES_192_CBC [dmadmin@docu72dev01 ~]$ iapi DCTM_DEV Please enter a user (dmadmin): Please enter password for dmadmin: EMC Documentum iapi - Interactive API interface (c) Copyright EMC Corp., 1992 - 2015 All rights reserved. Client Library Release 7.2.0030.0072 Connecting to Server using docbase DCTM_DEV [DM_SESSION_I_SESSION_START]info: "Session 01024be98000746d started for user dmadmin." Connected to Documentum Server running Release 7.2.0030.0195 Linux64.Oracle Session id is s0 API> initcrypto,c,/tmp/aek.key ... Unsupported algorithm ID: 4 API>
I have checked DFC and found out that EMC made mess not only of encryption algorithm names on CS side – their understanding of cryptography on java side is also extremely poor.