Change the database master key
- Last Updated: March 25, 2026
- 1 minute read
- OpenEdge
- Version 13.0
- Documentation
You can change the database master key immediately or put it into a pending state and activate it later.
The PROUTIL EPOLICY MANAGE utility lets you change the master key (and, optionally, the cipher) while the database is running. PROUTIL EPOLICY MANAGE requires Database Administrator and keystore admin privileges. Use the following syntax:
proutil db-name -C epolicy manage dbpolicy rekey [-Cipher <CipherName>]
-Passphrase <pass.txt>PROUTIL EPOLICY MANAGE creates a new current encryption DB policy and sets the existing encryption DB policy to the previous state. For more information, see Encryption DB policy states.
Before you run the utility, check the states of existing encryption DB policies. See View and scan the encryption DB policy. If there is already a previous or pending policy, the utility cannot complete the operation.
| State of DB policy | State of object encryption | Result |
|---|---|---|
| Previous encryption DB policy exists | No associated object policies | Sets state to retired. |
| Previous encryption DB policy exists | Some object policies associated with previous policy | Operation fails with message. You must retire previous policy, update assocated objects, and retry command. See Retire an encryption DB policy. |
| Pending encryption DB policy exists | Some object policies may be associated | Deletes pending policy and associated object policies |
To put the DMK into a pending state, see Change the database master key and activate it later.
For syntax to change the DMK, see PROUTIL EPOLICY MANAGE qualifier.