Database keystore
- Last Updated: January 16, 2024
- 2 minute read
- OpenEdge
- Version 12.8
- Documentation
Your database keystore is created when you enable your database for transparent data encryption using the PROUTIL ENABLEENCRYPTION command. The keystore has the following main functions:
- Stores the Database Master Key (DMK) externally from the database
- Derives the database object virtual keys from the DMK
- Protects the DMK and object virtual keys from being copied
- Controls access to the keystore through built-in user accounts with strong passphrase protection
- Denies access to a transparent data encryption-enabled database if the user cannot open the keystore by supplying a passphrase for one of the built-in keystore user accounts
- Configures opening of the keystore through automated processes
A keystore has two built-in user accounts: the admin account and the user account. keystore administrator privilege is required to create or change any keystore value, including all aspects of encryption key generation and storage. User privilege is required to access encryption key values. You must always provide a passphrase for the keystore admin account when you create the keystore; the user account passphrase is optional. The passphrases for the keystore user and admin accounts must be different.
Passphrases must comply with the rules described in the table below.
| Rule | value |
|---|---|
| Minimum number of characters | 8 |
| Maximum number of characters | 2048 |
| Minimum number of numeric characters | 1 |
| Minimum number of alpha characters | 2 |
| Minimum number of punctuation characters | 1 |
| Character set | [a-zA-Z0-9]!@#$%^&*()_+-{}[]|\,./<>?;:<space> |
| First character | (see Character set) |
| Mixed case alpha required | True |
| Case sensitive | True |
When your keystore is created, it is bound to your database, but it remains a separate entity. PROBKUP does not backup your keystore. If you create a copy of your database with PROCOPY, the keystore is not copied. The keystore is not part of your database structure definition. If you copy an encryption-enabled database, you will not be able open the copy until you copy and rebind the keystore to the copied database using the PROUTIL EPOLICY command.
The keystore is separate from your database for security reasons, and you must securely back it up when you back up your database. Protecting your keystore is vital to maintaining access to your encrypted database. Without your keystore, you will be unable to open your database.
Compare your database and keystore to your car and car keys. The keystore is separate from your database because tying them together would be like leaving your car key in the door lock; your door might be locked, but the probability of someone "breaking in" is greatly increased. Also like your car, you want to have a secure back up of your car keys or keystore in case the original is lost.