Try OpenEdge Now
skip to main content
Core Business Services - Security and Auditing
Transparent Data Encryption : Transparent Data Encryption in OpenEdge RDBMS : Enabling Encryption : Executing the ENABLEENCRYPTION command
 
Executing the ENABLEENCRYPTION command
One command enables your database for transparent data encryption. Enabling encryption requires database administrator privilege. The basic syntax for enabling encryption is:
proutil dbname -C enableencryption [-Cipher cipher-num][-Autostart { user| admin}]
Enabling encryption performs many tasks on your database. When you enable encryption:
*The database BI is truncated if the database is offline and the BI is not already truncated.
*The schema for encryption policy area is loaded.
*New audit events for encryption are loaded.
*The OpenEdge key store is created, and the key store creates and stores the database master key. The key store is named,dbname.ks, and is stored in the same directory as yourdbname.db file.
*The master database security record is created in the encryption policies.
*A UUID for the database is set, if it is not already.
*Encryption keys are generated for encrypting the database AI and BI files (unless explicitly turned off).
*Autostart is configured for the key store, if requested.
*If you specify user, the key store user account is used for autostart.
*If you specify admin, the key store admin account is used for autostart.
*If you do not specify -Autostart, manual start is configured.
*You are prompted for passphrases:
*The key store admin passphrase is required.
*The key store user passphrase is optional, but required if you specified user for the -Autostart parameter.
*The PBE passphrase is mandatory if you specify the PBE cipher for your key store (-Cipher 6).
By default, PROUTIL ENABLEENCRYPTION indicates that all future AI and BI notes are encrypted. If after-imaging is enabled, enabling encryption results in an extent switch. If you enable encryption while your database is online, BI notes are not encrypted until the next time the database is started. Existing AI and BI files are not encrypted; enabling encryption essentially sets an indicator for future writes.
By default, PROUTIL ENABLEENCRYPTION uses cipher 1, "AES_CBC_128". For details on ciphers, see Cryptography. The following table lists the supported database master key ciphers.
Table 11. Database Master key ciphers
ID
Cipher
Mode
Size
Key type
1
AES
CBC
128
binary
2
AES
CBC
192
binary
3
AES
CBC
256
binary
4
DES
CBC
56
binary
5
DES3
CBC
168
binary
6
DES
CBC
56
PBE
7
RC4
ECB
128
binary
The key store passphrases, as well as the database master key passphrase if using the PBE cipher, require strong passphrase rules. Passphrases must conform to the constraints described in the following table:
Table 12. Passphrase constraints
Rule
Value
Minimum number of characters
8
Maximum number of characters
2048
Minimum number of numeric characters
1
Minimum number of alpha characters
2
Minimum number of punctuation characters
1
Character set
[a-zA-Z0-9]!@#$%^&*()_+-{}[]|\,./<>?;:<space>
First character
(see Character set)
Mixed case alpha required
True
Case sensitive
True
Once you have enabled your database for Transparent Data Encryption, you must define encryption policies before any data is encrypted. See Configuring Transparent Data Encryption policies.