When a database is configured for manual start, a passphrase is required to open the database. The passphrase specifies the keystore privileges; certain utilities and actions, such as creating encryption policies, require keystore admin privileges. A passphrase can also be specified at startup for a database configured for autostart to change the keystore privileges for opening the database, and a passphrase can be specified on the command line for various utilities to authenticate with different keystore privileges.

• PROUTIL EPOLICY
• PROUTIL ENABLEENCRYPTION (if enabling BI or AI encryption when encryption is already enabled)
• PROUTIL DISABLEENCRYPTION
• PROUTIL TRUNCATE BI (if enabling or disabling BI encryption)
• PROBKUP ONLINE (if enabling AI encryption alongside after-imaging)
• PROUTIL AIMAGE END (if AI encryption is enabled)
• PROUTIL AIMAGE OFF (if AI encryption is enabled)
• PROUTIL CONV1112 (if encryption is enabled)

Some database utilities allow access to decrypted data for maintenance and repair. To prevent database utilities from becoming a "back door" for circumventing encryption policies, access to certain utilities is restricted to authenticated database administrators. In general, utilities that manage encryption policies and the keystore, and utilities that can provide a cleartext version of encrypted data are restricted. For the following list of utilities, access is denied to all users except authenticated database administrators.

• PROUTIL EPOLICY
• PROUTIL ENABLEENCRYPTION
• PROUTIL DISABLEENCRYPTION
• PROUTIL TABLEMOVE
• PROUTIL IDXMOVE
• PROUTIL TRUNCATE BI
• PROUTIL DUMP
• PROUTIL DUMPSPECIFIED
• PROUTIL AIMAGE BEGIN
• DBTOOL

Utilities that appear in both lists require both keystore administrator privileges and an authenticated database administrator in order to run.