Before you get started with Transparent Data Encryption, you should understand the following:
Know what objects in your database need to be encrypted
OpenEdge Transparent Data Encryption gives you the flexibility to select which objects in your database need to be encrypted. You should select the smallest set of objects that contain private data. Knowledge of your database schema is required to select the appropriate objects. You will also need to consider the indexes of the encrypted objects, based on the fields that comprise the index. If your index contains critical (private) fields of an encrypted table, you should encrypt the index.
Decide your AI and BI encryption
When you enable transparent data encryption, by default your BI files and AI files (if enabled) are also enabled for encryption. Progress Software Corporation strongly encourages you to encrypt your BI and AI files. Failure to encrypt your BI and AI files exposes your encrypted data in an unencrypted form in your BI and AI notes. If you decide to risk your AI and BI files, you can disable AI and BI encryption.
Choose the cipher(s) that meet your requirements
OpenEdge Transparent Data Encryption supports six different ciphers which vary in strength and performance. You will need to understand your requirements to pick the correct cipher; the stronger the cipher, the harder to break, but it also takes longer to encrypt and decrypt your data. For a general discussion of ciphers, see Cryptography. For a list of the object ciphers supported for transparent data encryption, see Creating encryption policies with PROUTIL EPOLICY..
Determine access to the database key store
To open an encryption-enabled database, a user must be authenticated as able to open the database key store. The key store is created when you enable your database for encryption. See OpenEdge Key Store for a detailed discussion of the OpenEdge key store. There are two ways to authenticate to the key store: manual start and autostart. With manual start, the user must supply a passphrase every time the database is opened.
For servers and utilities, an additional parameter (-Passphrase) is added to the command line to indicate that the user is to be prompted for a passphrase to open the key store. For ABL clients, the passphrase must be included in the CONNECT statement with the -KeyStorePassPhrase parameter. If the passphrase is authenticated, access is granted.
By configuring autostart, you are granting access to the key store without prompting for a passphrase to any user who can run connect to a database (single or multi-user) or run a database utility. You can override the autostart authentication by including the passphrase parameter. Manual start is more secure, but impacts automated database administration (scripts); autostart does not impact scripts, but gives unrestricted access to encrypted data.
Autostart has two levels of security, admin and user, that correspond to the two key store accounts. Admin access is required to add or update encryption policies or modify the key store. User access allows for the encryption and decryption of data with the existing encryption policies. When For more details on autostart, see Configuring Transparent Data Encryption policies.
Note: Databases started with the AdminServer or the operating system Cluster Resource Manager can not be configured for manual start. There is no valid way to prompt for the passphrase in these situations. You can add an encryption-enabled database, that has been started using a script, as a scripted database in OpenEdge Explorer or OpenEdge Management.
Know what objects in your database need to be encrypted