When you enable encryption on a database, OpenEdge generates a keystore that creates and stores the database master key. A security administrator can use a TDE DB policy rekey operation to change a database master key in the keystore of the source database. Because the keystore is external from the database, the changes to database master keys in a keystore are not carried to the after-imaging notes, and therefore when performing AI roll-forward operations, the keystore changes do not apply automatically to the hot standby database.

The security administrator or DBA must copy the matching keystore from the operating system backup to the hot standby database, back to the point up to which the hot standby database is recovered. On the source database, the keystore keeps up to 100 retired database master keys, each of which allows the RFUTIL process to open the database for performing roll-forward operations.
  • If there are fewer than 100 TDE DB policy rekey operations after the hot standby database is backed up until the point to which it is rolled to, the administrator can use the keystore backup that was made at the point the hot standby database is rolled to.
  • If all outstanding AI extents are to be rolled, the administrator can simply use the latest version of the keystore from the source database on the target database to perform the roll-forward.