DMK encryption policies (encryption DB policies) can exist in three possible states: previous, pending, and current.

The current encryption DB policy defines the database master key that controls the generation of every object policy's encryption key. The current object encryption policy defines which objects are encrypted and the encryption cipher for the object.

At any given time, you can have one current policy plus one additional policy, either previous or pending. Previous and pending policies cannot exist at the same time. (Older versions of OpenEdge supported only only one policy, without an associated state.) You can view and control policy states through the PROUTIL EPOLICY MANAGE utility.

To create more than two encryption DB policies, you must retire all previous object policies, then retire previous encryption DB policies. You can always delete all pending object policies and encryption DB policies through the EPOLICY MANAGEMENT DBPOLICY RETIRE utility.

For guidelines about your policy life cycle, see Maintain Transparent Data Encryption.

When you create a new active TDE DMK, a new encryption policy is created for every encrypted object. All object blocks need to go through a deencrypt/encrypt process to bring the blocks to the latest object policies. Use the PROUTIL EPOLICY MANAGE utility to update blocks. After all object policies are updated, you can retire all previous encryption DB policies through the PROUTIL EPOLICY MANAGEMENT DBPOLICY RETIRE utility.

You can also create an inactive (pending) DMK and activate it later. When you create a new pending TDE DMK, a new pending encryption policy is created for every encrypted object. You can change the object cipher using PROUTIL EPOLICY MANAGE for any encrypted object’s pending policy. When you are ready, you can activate the pending DMK. All encrypted objects now have a new active object policy.

The PROUTIL EPOLICY VIEW utility displays key stores and encryption DB policies for the sports2020 database. This output shows current and previous policies:
PROUTIL sports2020 EPOLICY VIEW KEYSTORE
Keystore created : 01.21.2021 01:17 GMT
Keystore updated : 02.09.2021 21:51 GMT
Administrator account valid : True
User account valid : True
DMK valid : True
DMK_1 id : rt6IQS/Yo7V6FCoKgLqfBA
DMK_1 state : Active
DMK_1 created : 02.09.2021 21:51 GMT
DMK_1 updated : 02.09.2021 21:51 GMT
DMK_1 cipher : DES3_CBC_168
DMK_2 id : yqRglBmmiq15FPea6LRL9w
DMK_2 state : Active
DMK_2 created : 02.02.2021 20:03 GMT
DMK_2 updated : 02.02.2021 20:03 GMT
DMK_2 cipher : DES3_CBC_168
DBCtx valid : True
DBCtx DB id : 5qZZ52yLqLB4FBfSAO5yYA
DBCtx_1 DB policy id : rt6IQS/Yo7V6FCoKkIZ4BA
DBCtx_1 DB policy state : Current
DBCtx_1 DB policy version : 25
DBCtx_1 DMK cipher : DES3_CBC_168
DBCtx_1 DMK id : rt6IQS/Yo7V6FCoKgLqfBA
DBCtx_2 DB policy id : yqRglBmmiq15FPeaMNA49w
DBCtx_2 DB policy state : Previous
DBCtx_2 DB policy version : 24
DBCtx_2 DMK cipher : DES3_CBC_168
DBCtx_2 DMK id : yqRglBmmiq15FPea6LRL9w

The following image shows the life cycle of an encryption DB policy from an inactive pending policy to an active current policy, and finally to an active previous policy.