Enables your database for transparent data encryption and lets you manage encryption policies while the database is running.

Syntax

proutil db-name -C enableencryption 
       [-Cipher cipher-number][-Autostart {admin|user}]       
       [-biencryption {enable|disable}]
       [-aiencryption {enable|disable}]
       [-Passphrase][[-userid userid][-password password]]

Parameters

db-name
Name of the database where you are enabling encryption.
-Cipher cipher-number
Specifies the database master policy cipher. If not specified, cipher 3, "AES_CBC_256", is used by default. See PROUTIL EPOLICY INFO qualifier for a list of the supported ciphers and their corresponding ID numbers.
-Autostart {admin|user}
Specifies that you will allow your database to autostart authentication to the key store by the specified key store account. If not specified, the database is set to manual startup. Manual startup requires that the user enter the passphrase to authenticate the key store every time the database is opened (by servers, clients, and utilities).
-biencryption {enable|disable}
Specifies whether your BI is encrypted or not. If not specified, BI encryption is enabled.
-aiencryption {enable|disable}
Specifies whether your AI is encrypted or not. If not specified, AI encryption is enabled.
Note: Enabling ai or bi encryption when it is already enabled will return the following error:
Error - Cannot enable ai or bi encryption when it is already enabled. (19417)

The encryption will remain enabled.

-Passphrase
Specifies that the user must be prompted for a passphrase to authenticate the key store, prior to executing this command.
-userid userid -password password
Specifies the userid and password of an authenticated Database Administrator.

Successful execution of ENABLEENCRYPTION creates the database key store and makes the database ready for the creation of encryption policies. No data is encrypted by running this command.

The first time ENABLEENCRYPTION is run, you are prompted for several passphrases:

  1. The key store administrator passphrase (required).
  2. The key store user passphrase (optional).
  3. The PBE passphrase for creating the database master key (required for -Cipher 11 or -Cipher 12. -Cipher 11 specifies that the default cipher is AES128_CBC_PBE. -Cipher 12 specifies that the default cipher is AES256_CBC_PBE.)

Passphrases must conform to the constraints described in the table below.

Table 1. Passphrase constraints
Rule value
Minimum number of characters 8
Maximum number of characters 1024
Minimum number of numeric characters 1
Minimum number of alpha characters 2
Minimum number of punctuation characters 1
Character set [a-zA-Z0-9]!@#$%^&*()​+-{}[]|\,​./<>?;:<space>
First character (see Character set)
Mixed case alpha required True
Case sensitive True

Notes

  • ENABLEENCRYPTION requires Database Administrator privileges.
  • To manage encryption policies on a replication-enabled database that is running, all databases in the replication configuration must be at Release 12.4 or higher.
  • After successfully enabling your database for encryption, you can run the ENABLEENCRYPTION command again, only to enable AI and BI encryption. The ENABLEENCRYPTION command cannot disable AI and BI encryption.
  • To change settings other than AI and BI encryption, use the PROUTIL EPOLICY MANAGE command. See PROUTIL EPOLICY MANAGE qualifier for command syntax and details.
  • If after-imaging is enabled, ENABLEENCRYPTION causes an extent switch.
  • To support changing the database master key, the Transparent Data Encryption (TDE) database policy (encryption DB policy) management feature must be enabled on the database. In OpenEdge 12.4 and later, the feature is enabled when TDE is enabled on the database. The PROUTIL ENABLEENCRYPTION command enables both encryption and encryption DB policy management.

    If encryption on the database has been enabled in a prior OpenEdge release, encryption DB policy management is not enabled. To use the feature to change the database master key, you must enable TDE encryption DB policy management using the PROUTIL ENABLETDEDBPOLICYMANAGEMENT qualifier.