Controlling access to private data while "at rest" (that is, stored in a file on disk inside your database), is the core of OpenEdge Transparent Data Encryption. OpenEdge combines various cryptography technologies and processes to give a security or database administrator control over who can access the private data within the database. OpenEdge Transparent Data Encryption is a smart choice to satisfy your need to secure data at rest because it offers a relatively low cost solution that is easy to implement.
Transparency — Transparent data encryption means all data encryption is performed at run-time by the OpenEdge RDBMS, without any physical changes to ABL or SQL application code or database design. Application code executes without being aware of whether the database is or is not encrypting its data.
Configurational — Configurable data encryption allows you to balance the database encryption and administration workload against individual security requirements. Transparent Data Encryption allows the DBA to configure encryption for just those database objects that require it. In this way OpenEdge can protect sensitive data at the lowest possible cost.
The security environments that a transparent data encryption database must run in can vary. Therefore, transparent data encryption is configurable, allowing you to balance your databases encryption performance and administration workload against your security requirements. You can configure encryption for just the database objects that require it and adjust the level of encryption security to only what is necessary to be compliant with regulations.
Care has been taken in the design of OpenEdge Transparent Data Encryption to allow you to add encryption to your database without the need for you to become an expert in designing or implementing encryption technologies. The encryption is transparent to the user and it does not require any changes to existing ABL or SQL applications in order access encrypted data. Using it can be as simple as enabling and configuring the feature, migrating your unencrypted data, and then resuming your normal production operations.
Transparent data encryption utilizes symmetric key encryption to encrypt private data at the block level. Encryption of your database objects is managed through encryption policies. When you create an encryption policy, you can configure the cipher algorithm and encryption key length for each encrypted object. The creation and maintenance of encryption policies is discussed in
Configuring Transparent Data Encryption policies.
Transparent data encryption depends on secure storage of encryption keys, and user access controls to your encryption keys to ensure that your datas encryption cannot be reversed by anyone other than those granted access. Each encrypted database has a single, unique Database Master Key (DMK). The DMK is created and managed by your database administrator and stored in your database key store, which is separate from your database. Your
key store is an independent and secure entity that provides secure storage of data encryption keys and controls access in the form of user accounts. Details of the OpenEdge key store are discussed in
OpenEdge Key Store.