Your OpenEdge database keystore is created when you enable your database for transparent data encryption through the PROUTIL ENABLEENCRYPTION command. The keystore has the following main functions:

  • To store the Database Master Key (DMK) externally from the database.
  • To derive the individual database object virtual keys from the DMK.
  • To protect the DMK and object virtual keys from being copied.
  • To control access to the keystore through built-in user accounts with strong passphrase protection.
  • To deny access to a transparent data encryption-enabled database if the user cannot open the keystore by supplying a passphrase for one of the built-in keystore user accounts.
  • To configure opening of the keystore through automated processes.

A keystore has two built-in user accounts, the admin account and the user account. Administrator privilege is required to create or change any keystore value, including all aspects of encryption key generation and storage, passphrases, and autostart configuration. User privilege is required to access encryption key values. You must always provide a passphrase for the admin account when you create the keystore; the user account passphrase is optional. The passphrases for the user and admin accounts must be different.

For an introduction to PROUTIL ENABLEENCRYPTION, see Enable encryption. For complete details on the command, see Manage the OpenEdge Database.

When your keystore is created, it is bound to your database but remains a separate entity. PROBKUP does not backup your keystore. If you create a copy of your database with PROCOPY, the keystore is not copied. The keystore is not part of your database structure definition. If you copy an encryption-enabled database, you will not be able open the copy until you copy and rebind the keystore to the copied database with the PROUTIL EPOLICY command.