OpenEdge Transparent Data Encryption gives you the flexibility to select which objects in your database need to be encrypted. You should select the smallest set of objects that contain private data. Knowledge of your database schema is required to select the appropriate objects. You will also need to consider the indexes of the encrypted objects, based on the fields that comprise the index. If your index contains critical (private) fields of an encrypted table, you should encrypt the index.

When you enable transparent data encryption, by default your BI files and AI files (if enabled) are also enabled for encryption. Progress Software Corporation strongly encourages you to encrypt your BI and AI files. Failure to encrypt your BI and AI files exposes your encrypted data in an unencrypted form in your BI and AI notes. If you decide to risk unencrypted data being exposed through your AI and BI notes, you can disable AI and BI encryption.

OpenEdge Transparent Data Encryption supports six different ciphers. The ciphers vary in strength. You need to understand your requirements to pick the correct cipher; the stronger the cipher, the harder to break, but it also takes longer to encrypt and decrypt your data. For a general discussion of ciphers, see OpenEdge Getting Started: Core Business Services - Security and Auditing. For a list of the ciphers supported for Transparent Data Encryption, see OpenEdge supportedciphers.

To open an encryption-enabled database, you must be authenticated as able to open the database key store. The key store is created when you enable your database for encryption. For an in-depth discussion of the OpenEdge key store, see OpenEdge Getting Started: Core Business Services - Security and Auditing.

There are two ways to authenticate to the key store: manual start and autostart. With manual start, every time you open the database, you must supply a passphrase.

For servers and utilities, and single-user or self-service client, you can include an additional parameter (-Passphrase) on the command line to indicate that you are to be prompted for a passphrase to open the key store.

For ABL clients, the passphrase must be included in the CONNECT statement with the -KeyStorePassPhrase parameter. If the passphrase is authenticated, access is granted. See Running with Transparent Data Encryption enabled for more information.

By allowing autostart, you are granting access to the key store without prompting for a passphrase. You can override the autostart authentication by including the passphrase parameter. Manual start is more secure, but impacts automated database administration (scripts); autostart does not impact scripts, but potentially gives unrestricted access to encrypted data.