TDE uses an external keystore system that is not part of the OpenEdge database. Instead, the OpenEdge database is a client of the TDE keystore. This separates encryption key storage and access from the TDE encrypted data and allows client access using built-in accounts rather than database accounts.

The TDE keystore system employs a strongly encrypted and access controlled .ks keystore file for encryption key storage. When HSM is installed, access to the keystore requires a user account PIN.

Figure 1 shows how the PIN provides access to the keystore through HSM.

Figure 1. Open a TDE database with an HSM keystore
The HSM option increases the security of your TDE keystore because it:
  • Provides secure data partitioning per OpenEdge TDE database.
  • Adds a second authentication step, the HSM user account PIN, to the existing TDE keystore's passphrase.
  • Adds a non-DBA controlled component to opening a TDE keystore.
  • Adds a requirement for physical access to the TDE keystore and HSM token to access TDE encrypted data.

When you add an HSM, the DBA no longer has sole responsibility for encrypted data. Two individuals or organizations share control over opening a TDE keystore and accessing encrypted data. See Coordinate HSM administration tasks.