One command enables your database for transparent data encryption. The basic syntax for enabling encryption is:

proutil dbname -C enableencryption [-Cipher cipher-num] [-Autostart {user|admin}]

Enabling encryption performs the following tasks on your database:

  • TDE DB policy management is enabled (for Release 12.4 and later).
  • The database BI is truncated if the database is offline and the BI is not already truncated.
  • The schema for encryption policy area is loaded.
  • New audit events for encryption are loaded.
  • The OpenEdge keystore, which creates and stores the database master key, is created. The keystore is named, dbname.ks, and is stored in the same directory as your dbname.db file.
  • The master database security record is created in the encryption policies.
  • A UUID for the database is set, if not already set.
  • Encryption keys are generated for encrypting the database AI and BI files (unless explicitly turned off).
  • Autostart is configured for the keystore, if requested.
  • You are prompted for passphrases:
    • The keystore admin passphrase is required.
    • The keystore user passphrase is optional.
    • The PBE passphrase is mandatory if you specify a PBE cipher for your keystore.

By default, PROUTIL ENABLEENCRYPTION indicates that all future AI and BI notes are encrypted. If AI is enabled, enabling encryption results in an extent switch. If you enable encryption while your database is online, BI notes are not encrypted; see Enable BI file encryption after enabling encryption for instructions on enabling your BI files for encryption. Existing AI and BI files are not encrypted; enabling encryption essentially sets an indicator for future writes. See PROUTIL ENABLEENCRYPTION qualifier for the complete syntax.