One command enables your database for transparent data encryption. Enabling encryption requires database administrator privilege. The basic syntax for enabling encryption is:

proutil dbname -C enableencryption [-Cipher cipher-num][-Autostart { user| admin}]

Enabling encryption performs many tasks on your database. When you enable encryption:

  • The database BI is truncated if the database is offline and the BI is not already truncated.
  • The schema for encryption policy area is loaded.
  • New audit events for encryption are loaded.
  • The OpenEdge keystore is created, and the keystore creates and stores the database master key. The keystore is named,dbname.ks, and is stored in the same directory as yourdbname.db file.
  • The master database security record is created in the encryption policies.
  • A UUID for the database is set, if it is not already.
  • Encryption keys are generated for encrypting the database AI and BI files (unless explicitly turned off).
  • Autostart is configured for the keystore, if requested.
    • If you specify user, the keystore user account is used for autostart.
    • If you specify admin, the keystore admin account is used for autostart.
    • If you do not specify -Autostart, manual start is configured.
  • You are prompted for passphrases:
    • The keystore admin passphrase is required.
    • The keystore user passphrase is optional, but required if you specified user for the -Autostart parameter.
    • The PBE passphrase is mandatory if you specify the PBE cipher for your keystore (-Cipher 11 or -Cipher 12).

By default, PROUTIL ENABLEENCRYPTION indicates that all future AI and BI notes are encrypted. If after-imaging is enabled, enabling encryption results in an extent switch. If you enable encryption while your database is online, BI notes are not encrypted until the next time the database is started. Existing AI and BI files are not encrypted; enabling encryption essentially sets an indicator for future writes.

By default, PROUTIL ENABLEENCRYPTION uses cipher 1, "AES_CBC_128". For details on ciphers, see Cryptography. The following table lists the supported database master key ciphers.

Table 1. Database Master key ciphers
ID Cipher Mode Size Key type
1 AES CBC 128 binary
2 AES CBC 192 binary
3 AES CBC 256 binary
4 DES CBC 56 binary
5 DES3 CBC 168 binary
11 AES CBC 128 PBE
12 AES CBC 256 PBE

The keystore passphrases, as well as the database master key passphrase if using the PBE cipher, require strong passphrase rules. Passphrases must conform to the constraints described in the following table:

Table 2. Passphrase constraints
Rule Value
Minimum number of characters 8
Maximum number of characters 2048
Minimum number of numeric characters 1
Minimum number of alpha characters 2
Minimum number of punctuation characters 1
Character set [a-zA-Z0-9]!@#$%^&*()_+-{}[]|\,./<>?;:<space>
First character (see Character set)
Mixed case alpha required True
Case sensitive True

Once you have enabled your database for Transparent Data Encryption, you must define encryption policies before any data is encrypted. See Configure Transparent Data Encryption policies.