To summarize, TDE guarantees the following:

  • Data in record or a database format (binary dump, backup) is encrypted. The output of an Export command or Dictionary dump, or on the screen, is not encrypted.
  • The encryption cipher algorithms provided are industry standard.
  • Configurable cipher specifications allow you to select the symmetric algorithm, mode, and key-size for each database object (table, LOB, index, area, AI, BI).
  • Encrypted object encryption keys are derived from a single database master encryption key and a unique per-object value that yields a unique binary encryption key per object, per database.
  • Access to database master encryption key and object encryption keys is restricted solely to the OpenEdge RDBMS storage engine. No direct user access is supplied, nor are these encryption keys ever transported over a network connection.
  • The database encryption key is stored outside of the OpenEdge database and is protected by its own user accounts and access-control. Keystore security regulates who has access to the database master encryption key and therefore the database's encrypted data.
  • The encryption policy for the DMK is known as the TDE DB policy. Database or security administrators may perform TDE DB policy management tasks on databases while the database is running.
  • Adding a Hardware Security Module (HSM) as a second layer of TDE authentication adds a non-DBA controlled component to opening a TDE keystore, so that the DBA no longer has sole responsibility for encrypted data. The HSM option also provides secure data partitioning per OpenEdge TDE database, and adds a second authentication step, the HSM user account PIN, to the TDE keystore's passphrase.
  • Transparent clear-text access to encrypted data is available only to an authenticated and authorized OpenEdge database user who also has the appropriate ABL or SQL run-time table and field access privileges, after a database server has been started by a database administrator with keystore access.
  • The DBA must replicate and back up the encryption keystore using operating system tools.
  • Online and offline configuration and maintenance of encrypted data is restricted to authenticated and authorized database administrators: a SQL DBA or an ABL Security Administrator.
  • Online and offline configuration and maintenance of OpenEdge key storage configuration is restricted to authenticated and authorized DBAs, with keystore admin privileges, and may not be accessed over a network connection.