It is easy to get started with TDE, but before you start, you should understand the following:

  • Know which objects in your database need to be encrypted.

    OpenEdge TDE gives you the flexibility to select which objects in your database need to be encrypted. You should select the smallest set of objects that contain private data. Knowledge of your database schema is required to select the appropriate objects. You also need to consider the indexes of the encrypted objects, based on the fields that comprise the index. If your index contains critical (private) fields of an encrypted table, encrypt the index.

  • Decide your AI and BI encryption strategy.

    When you enable TDE, by default your BI files and AI files (if enabled) are also enabled for encryption. Progress strongly encourages you to encrypt your BI and AI files, because failure to encrypt them exposes your encrypted data in an unencrypted form in your BI and AI notes. If you decide to risk unencrypted data being exposed through your AI and BI notes, you can disable AI and BI encryption.

  • Choose the ciphers that meet your requirements.

    OpenEdge TDE supports six different ciphers. The ciphers vary in strength. You must understand your requirements to pick the correct cipher; the stronger the cipher, the harder to break, but it also takes longer to encrypt and decrypt your data. For a general discussion of ciphers, see Learn about Security and Auditing. For a list of the ciphers supported for TDE, see OpenEdge supported ciphers.

  • Determine access to the database keystore.

    To open an encryption-enabled database, you must be authenticated as able to open the database keystore. The keystore is created when you enable your database for encryption. For an in-depth discussion of the OpenEdge keystore, see Learn about Security and Auditing.

    There are two ways to authenticate to the keystore: manual start and autostart. With manual start, you must supply a passphrase every time you open the database.

    For servers and utilities, two additional parameters are added to the command line to indicate that the user is to be prompted for a passphrase and/or PIN to open the keystore.
    • -Passphrase— prompts the user for a passphrase to open the keystore.
    • -Pin— prompts the user for a PIN to open the keystore. A personal identification number (PIN) is required for connecting to a TDE-encrypted database where a Hardware Security Module (HSM) is configured as secondary authentication.

    For ABL clients, the passphrase must be included in the CONNECT statement with the -KeyStorePassPhrase parameter. If the passphrase is authenticated, access is granted. If your database is configured with HSM authentication, you must also supply the -KeyStorePin for ABL clients.

    By allowing autostart, you grant access to the keystore without prompting for a passphrase. You can override the autostart authentication by including the passphrase parameter. Manual start is more secure, but impacts automated database administration (scripts); autostart does not impact scripts, but potentially gives unrestricted access to encrypted data.

Note: Databases started with AdminServer cannot be configured for manual start because there is no valid way to prompt for the passphrase in these situations. You can add an encryption-enabled database, that has been started using a script, as a scripted database in OpenEdge Management.