OpenEdge databases that use Transparent Data Encryption (TDE) have an encryption policy for the database master key (DMK) known as the encryption DB policy, for short. You can perform TDE DB policy management tasks on your TDE-enabled databases while the database is running.

Although you should change object policies regularly for data protection, there are three use cases when you should change the encryption DB policy:
  • If you deploy your product with a TDE-enabled template database, change the encryption DB policy so that each installation will have a unique set of object encryption keys.
  • If your enterprise security policies need larger master keys, or keys with a different algorithm type, change the encryption DB policy.
  • If you think that backup copies of both the database and the keystore have been compromised, change the encryption DB policy as insurance.

If you need to change the encryption DB policy for one of the preceding reasons, you can also change the cipher for certain database objects at the same time.

For more information, see Online TDE DB policy management.

Note: For replication-enabled databases, the source database must be OpenEdge 12.4 or higher to use this feature.