When you back up an encrypted database, the backup file contains encrypted blocks. As blocks are written to the backup file, they are encrypted with the current encryption policy. To guarantee that the blocks are backed up with the current encryption policy, there can be no policy changes while the backup is running.

Use PROBKUP to back up the database. See Back Up a Database.

PROBKUP does not back up the keystore file, so you should back up the keystore each time you back up the database. Use an operating system backup utility to back up the keystore (.ks) file. Do not co-locate the keystore backup with the database backup.

If you restore an encrypted database from backup with -newinstance, you cannot open the restored database until you rebind the key store with PROUTIL EPOLICY MANAGE KEYSTORE REBIND. For the complete syntax, see PROUTIL EPOLICY MANAGE qualifier.

If your encrypted database uses HSM as a second layer of TDE authentication, and you restore it with -newinstance, see Rebind a keystore secured with HSM authentication.