Try OpenEdge Now
skip to main content
Core Business Services - Security and Auditing
Transparent Data Encryption : Configuring Transparent Data Encryption policies : Disabling encryption
 

Disabling encryption

If you determine that you no longer need your database encrypted, you can disable encryption with the PROUTIL DISABLEENCRYPTION command. PROUTIL DISABLEENCRYPTION requires ABL security administrator or SQL database administrator privileges and key store admin privileges.The basic syntax is:
proutil dbname -C disableencryption
Disabling encryption decrypts all the data in your database, removes all the encryption policies, and archives your key store (by renaming it to dbname.ksbk).
If you have a large number of encrypted database objects, you might want to control the decryption of your objects prior to executing the DISABLEENCRYPTION command. To decrypt your data, update the encryption policy to the NULL cipher.
To decrypt data:
1. First verify that the object is encrypted with EPOLICY SCAN, as shown:
proenv>proutil t1demo -C epolicy scan area "dataarea101"
OpenEdge Release 10.2B1P as of Fri Nov 20 19:01:52 EST 2009
AREA dataarea101 / 101 CURRENT AES_CBC_128 V:1 627 of 627 blocks encrypted
2. Change the encryption policy cipher to the NULL cipher (cipher 0), as shown:
proenv>proutil t1demo -C epolicy manage area cipher "dataarea101" -Cipher 0
OpenEdge Release 10.2B1P as of Fri Nov 20 19:01:52 EST 2009
Encryption policy cipher change for Area dataarea101 in Area 101
Cipher specification change to NULL_NULL_NULL completed.
3. You can re-confirm the policy change with EPOLICY SCAN, as shown:
proenv>proutil t1demo -C epolicy scan area "dataarea101"
OpenEdge Release 10.2B1P as of Fri Nov 20 19:01:52 EST 2009
AREA dataarea101 / 101 CURRENT NULL_NULL_NULL V:2 1 of 627 blocks encrypted
AREA dataarea101 / 101 PREVIOUS AES_CBC_128 V:1 626 of 627 blocks encrypted
4. Update all the blocks to the NULL cipher policy with EPOLICY MANAGE UPDATE, as shown:
proenv>proutil t1demo -C epolicy manage area update "dataarea101"
OpenEdge Release 10.2B1P as of Fri Nov 20 19:01:52 EST 2009
5. Confirm that the object is decrypted and the policy deleted with EPOLICY SCAN, as shown:
proenv>proutil t1demo -C epolicy scan area "dataarea101"
OpenEdge Release 10.2B1P as of Fri Nov 20 19:01:52 EST 2009
No encryption policy exists for object dataarea101.
EPolicy: Encryption policy management failed -402
6. Disable encryption, as shown:
proenv>proutil t1demo -C disableencryption
OpenEdge Release 10.2B1P as of Fri Nov 20 19:01:52 EST 2009
Updating blocks of object 9/7. (15466)
Updating blocks of object 9/100. (15466)
BI Encryption has been disabled for database t1demo. (12490)
Encryption Feature has been disabled for database t1demo. (12490)
The BI file is being automatically truncated. (1526)
By decrypting your data prior to disabling encryption, you can control the impact of the update to normal database processing.
You can cancel DISALBEENCRYPTION at anytime during the execution of the command. Cancelling DISABLEENCRYPTION does not affect the integrity and usability of the database, however cancelling does not revert the changes that have been made. Cancelling DISABLEENCRYPTION may leave the database in one the following states:
*BI encryption is disabled (in single-user mode if it was enabled before the disablement)
*AI encryption is disabled
*All ciphers of current policies are set to null-null-null
*All data blocked are decrypted
*The encryption feature is fully disabled
*All encryption policies are removed
Check your database .lg file or the status messages displayed on screen to determine the state of the database.