Creating a new active TDE DMK creates a new encryption policy for every encrypted object. All object blocks need to go through a deencrypt and encrypt process to bring the blocks to the latest object policies.

For example, suppose that you encrypt a table named customer, and you subsequently change the DMK. You will need to update customer after you create the new encryption DB policy.

You can view the key store to determine whether updates are needed, or to validate updates, as shown in View and scan the encryption DB policy.

Note that, in the current OpenEdge release, a single operation enables encryption and TDE DB policy management. Encrypted databases created with older releases require the PROUTIL ENABLETDEDBPOLICYMANAGEMENT utility to enable TDE DB policy management.

For guidelines about your policy life cycle, see Maintain transparent data encryption.

For guidelines about your policy life cycle, see "Maintain Transparent Data Encryption" in Learn About Security and Auditing.