Growing Transparent Data Encryption (TDE) security requirements for OpenEdge reflect increasing requirements for data confidentiality. TDE provides data confidentiality through the ability of its encryption key generation and storage to resist attacks. Access to TDE encrypted data requires opening the TDE keystore. While TDE uses strong external encryption key storage, data confidentiality depends on control of the database, its keystore, and the keystore passphrase.

A Hardware Security Module (HSM) is an enterprise-scale physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, and provides strong authentication and other cryptographic functions. An HSM can be a hardware, firmware, software, or network device. To strengthen OpenEdge keystore security, you may add an external enterprise-managed HSM component to the OpenEdge TDE encryption key storage security. The HSM storage, which may be a local, network, or cloud service, provides client access using the PKCS #11 standard API, designed to comply with the FIPS 140-2 Level 2 certification requirements.

To prepare for implementing HSM keystore storage in your database, see Overview of HSM security. To set up an HSM component, follow the steps in Set up HSM security for TDE enabled databases to set up an HSM component.