Using a single database master encryption key that is stored externally from the database in the OpenEdge key store (dbname.ks) file.

Not including the database master key and object encryption keys in any backup or binary/data dump media. They are not copied with the PROCOPY command either.

Enforcing strong passphrase protection on the OpenEdge encryption key store. The passphrase must be entered whenever starting an OpenEdge database server or connecting to an encryption-enabled database single user.

Not allowing anyone, including database administrators, direct access to encryption key values.

Applying multiple levels of encryption to the stored encryption keys.

Guaranteeing that database object encryption key values are unique per database and per database object in order to limit the window of data exposure in the event that an encryption key is obtained by an intruder.

Prohibiting encryption keys from being exported, imported, or shared between multiple databases. An exception to this rule is between the database and its Replication and hot standby databases, which must share the same key store.

Preventing database encryption key values from being transported across any OpenEdge network connection, regardless of whether SSL/TLS is utilized.

Disallowing remote ABL database clients to administer database encryption keys, via their database object security policy records, where this sensitive data may be compromised (including Data Dictionary clients).

Providing OpenEdge auditing events configurable to track access and administration of encryption keys and their storage.

Implementing strong passphrases rules for OpenEdge key store.