As part of an overall security strategy, Transparent Data Encryption provides for data privacy while the data is "at rest" in your OpenEdge database. There are many security layers in an OpenEdge application, and Transparent Data Encryption represents the inner-most layer, as shown in the following figure:

Figure 1. Security layers in an OpenEdge application


Controlling access to private data while "at rest" (that is, stored on disk inside your database), is the core of OpenEdge Transparent Data Encryption. Support for Transparent Data Encryption is embedded within the OpenEdge RDBMS and all language clients. OpenEdge combines various cipher algorithms and encryption key lengths, secure storage of encryption keys, and user access controls to your encryption keys to ensure that your datas encryption cannot be reversed by anyone other than those granted access.

Transparent Data Encryption provides protection against intruders that attempt to access your private data. Intruders fall into two categories: internal and external. An internal intruder is an employee or contractor who misuses granted access permissions. An internal intruder can be a system administrator who accesses your database even though they are not a database administrator or security administrator. An external intruder is someone who attempts to access your data from outside your company.

External intruders may try to breach your companys network security or obtain a copy of your database through other methods. Possible external intruders include a person who:

  • Has accessed a companys internal network via virus or botnet on a VPN on WAN/LAN
  • Obtains a stolen computer with a copy of your database
  • Obtains a stolen copy of backup media
  • Obtains a user name and password through deception, such as impersonating an employee and requesting a password be changed

If an intruder obtains a copy of your encrypted database, they cannot retrieve the data protected by encryption without also having the encryption keys.

Each encrypted database has a single, unique Database Master Key (DMK). The DMK is created and managed by your database administrator, and stored in your database keystore, which is separate from your database. Your keystore is an independent and secure entity that provides secure storage of data encryption keys and controls access in the form of user accounts.

Encryption of your database objects is managed through encryption policies. You define which objects are encrypted and the encryption cipher for the object. Policies are stored in your database in a designated Encryption Policy Area. No language client can query the Encryption Policy Area. Object policies utilize virtual data encryption keys derived from your DMK and the specified cipher. The encryption key for each encrypted database object is unique.

More information on Transparent Data Encryption can be found in the following locations:

  • For details on Transparent Data Encryption concepts, see the following chapters:
  • For details on database administration activities related to Transparent Data Encryption, see Manage the OpenEdge Database.
  • For details on implementing and maintaining Transparent Data Encryption with OpenEdge SQL, see Develop SQL for OpenEdge and OpenEdge SQL Reference.
  • For details on implementing Transparent Data Encryption in conjunction with OpenEdge Replication, see Use Database Replication.