Before you get started with TDE (transparent data encryption) you should understand the following:

  • Know which objects in your database need to be encrypted

    OpenEdge TDE gives you the flexibility to select which objects in your database need to be encrypted. You should select the smallest set of objects that contain private data. Knowledge of your database schema is required to select the appropriate objects. You also need to consider the indexes of the encrypted objects, based on the fields that comprise the index. If your index contains critical (private) fields of an encrypted table, you should encrypt the index.

  • Decide your AI and BI encryption

    When you enable TDE, by default your BI files and AI files (if enabled) are also enabled for encryption. Progress strongly encourages you to encrypt your BI and AI files because failure to encrypt them exposes your encrypted data in an unencrypted form in your BI and AI notes. If you decide to risk your AI and BI files, you can disable AI and BI encryption.

  • Choose the ciphers that meet your requirements

    OpenEdge TDE supports six different ciphers which vary in strength and performance. You must understand your requirements to pick the correct cipher; the stronger the cipher, the harder to break, but it also takes longer to encrypt and decrypt your data. For a general discussion of ciphers, see Cryptography. For a list of the object ciphers supported for TDE, see Create encryption policies with PROUTIL EPOLICY.

  • Determine access to the database keystore

    The keystore is created when you enable your database for encryption.To open an encryption-enabled database, a user must be authenticated as able to open the database keystore. See OpenEdge Keystore for a detailed discussion of the OpenEdge keystore. There are two ways to authenticate to the keystore: manual start and autostart. With manual start, the user must supply a passphrase every time they open the database.

    For servers and utilities, two additional parameters are added to the command line to indicate that the user is to be prompted for a passphrase to open the keystore.
    • -Passphrase— prompts the user for a passphrase to open the keystore.
    • -Pin — For databases enabled for transparent data encryption (TDE) and using an HSM to access its keystore, select the PIN (Personal Identification Number) to specify the HSM user account password to use in HSM authentication prior to the TDE keystore authentication. If you select Pin, a pop-up prompts you to enter the PIN. If you select both Pin and Passphrase, a single pop-up prompts you for both.

    For ABL clients, the passphrase must be included in the CONNECT statement with the -KeyStorePassPhrase parameter. If the passphrase is authenticated, access is granted. If your database is configured with HSM authentication, you must also supply the -KeyStorePin for ABL clients.

    By configuring autostart, you grant access to the keystore without prompting for a passphrase to any user who can run connect to a database (single or multi-user) or run a database utility. You can override the autostart authentication by including the passphrase parameter. Manual start is more secure, but impacts automated database administration (scripts); autostart does not impact scripts, but gives unrestricted access to encrypted data.

    Autostart has two levels of security, admin and user, that correspond to the two keystore accounts. Admin access is required to add or update encryption policies or modify the keystore. User access is required for the encryption and decryption of data with the existing encryption policies. For more details on autostart, see Configure Transparent Data Encryption policies.

Note: Databases started with AdminServer cannot be configured for manual start because there is no valid way to prompt for the passphrase in these situations. You can add an encryption-enabled database, that has been started using a script, as a scripted database in OpenEdge Management.