Online TDE DB policy management
- Last Updated: March 25, 2026
- 2 minute read
- OpenEdge
- Version 13.0
- Documentation
OpenEdge databases that use TDE (Transparent Data Encryption) have an encryption policy for the database master key (DMK) known as the encryption DB policy, for short. The DMK controls the generation of every object policy's encryption key.
- If you deploy your product with a TDE-enabled template database, change the encryption DB policy so that each installation will have a unique set of object encryption keys.
- If your enterprise security policies need larger master keys, or keys with a different algorithm type, change the encryption DB policy.
- If you think that backup copies of both the database and the keystore have been compromised, change the encryption DB policy as insurance.
If you need to change the encryption DB policy for one of the reasons listed, see Change the database master key. You can change the encryption DB policy cipher at the same time, as described in Change the encryption DB policy cipher.
You can perform all TDE DB policy management tasks on your TDE-enabled databases while the database is running. When you create a new pending DMK, you create new object policies for every encrypted object. You can also change the object cipher for any encrypted object's pending policy while the policy is pending. When you are ready, activate the pending DMK so that all encrypted objects have a new active object policy. For more about pending policies, see Encryption DB policy states.
For an example of how TDE DB policy management works with object encryption, see Encryption DB policy work flow.