As part of an overall security strategy, transparent data encryption (TDE) provides for data privacy while the data is "at rest" in your OpenEdge database. There are many security layers in an OpenEdge application, and TDE represents the inner-most layer, as shown in the following figure:

Figure 1. Security layers in an OpenEdge application


Controlling access to private data while "at rest" (that is, stored on disk inside your database), is the core of OpenEdge TDE. Support for TDE is embedded within the OpenEdge RDBMS and all language clients. OpenEdge combines various cipher algorithms, encryption key lengths, secure storage of encryption keys, and user access controls to your encryption keys to ensure that the encryption of your data cannot be reversed by anyone other than those granted access.

TDE provides protection against internal and external intruders that attempt to access your private data. An internal intruder is an employee or contractor who misuses granted access permissions, for example, a system administrator who accesses your database even though they are not a database administrator or security administrator. An external intruder is someone who attempts to access your data from outside your company.

External intruders may try to breach your company's network security or obtain a copy of your database through other methods. Possible external intruders include a person who:

  • Has accessed a company's internal network via virus or botnet on a VPN or WAN or LAN
  • Obtains a stolen computer with a copy of your database
  • Obtains a stolen copy of backup media
  • Obtains a user-name and password through deception, such as impersonating an employee and requesting to change a password

If an intruder obtains a copy of your encrypted database, they cannot retrieve the data protected by encryption without having the encryption keys.

Each encrypted database has a single, unique Database Master Key (DMK). The DMK is created and managed by your database administrator, and stored in your database keystore, which is separate from your database. Your keystore is an independent and secure entity that provides secure storage of data encryption keys and controls access in the form of user accounts.

Encryption of your database objects is managed through encryption policies. You define which objects are encrypted and with which encryption ciphert Policies are stored in your database in a designated Encryption Policy Area which cannot be queried by any language client. Object policies utilize virtual data encryption keys derived from your DMK and the specified cipher. The encryption key for each encrypted database object is unique.

More information on TDE can be found in the following locations: