Transparent Data Encryption feature summary

Data in record or a database format (binary dump, backup) is encrypted. The output of an Export command, a Dictionary dump, or on the screen is not encrypted.

The encryption cipher algorithms provided are industry standard.

Configurable cipher specifications allow you to select the symmetric algorithm, mode, and key-size for each database object (table, LOB, index, area, AI, BI).

Encrypted object encryption keys are derived from a single database master encryption key and a unique per-object value that yields a unique binary encryption key per object, per database.

Access to database master encryption key and object encryption keys is restricted solely to the OpenEdge RDBMS storage engine. No direct user access is supplied, nor are these encryption keys ever transported over a network connection.

The database encryption key is stored outside of the OpenEdge database and is protected by its own user accounts and access-control. Key store security regulates who has access to the database master encryption key and therefore the databases encrypted data.

Transparent clear-text access to encrypted data is only available to an authenticated and authorized OpenEdge database user who also has the appropriate ABL or SQL run-time table and field access privileges, after a database server has been started by a database administrator with key store access.

Replication and backup of encryption key store must done by the DBA using operating system tools.

Online and offline configuration and maintenance of encrypted data is restricted to authenticated and authorized database administrators: a SQL DBA or ABL Security Administrator.

Online and offline configuration and maintenance of OpenEdge key storage configuration is restricted to authenticated and authorized DBAs, with key store admin privileges, and may not be accessed over a network connection.