ddlgen for Encrypted Columns

You can use the ddlgen utility with encrypted columns.

  • The ddlgen utility supports pre-15.0.2 encryption. Pre-15.0.2 ddlgen support includes generating DDL for an encryption key in a database, and generating DDL to synchronize encryption keys across servers.

    If you use ddlgen to generate DDL for encryption keys on SAP ASE version 15.0.2 or later, the DDL may cause errors on a pre-15.0.2 version SAP ASE, specifically if an encryption key is encrypted by a user specified-password or has key copies.

  • The type EK, used for encryption key, generates the DDL to create an encryption key and to grant permissions on it. ddlgen generates encrypted column information and a grant decrypt statement, along with the table definition.

  • If you do not specify the -XOD option, and the key to be migrated has been created in the source database using the with passwd clause, ddlgen generates a create encryption key command with password as its explicit password.This is similar to what ddlgen does for roles and login passwords.

  • The -XOD generates the create encryption key that specifies the key’s encrypted value as represented in sysencryptkeys. Use the -XOD to synchronize encryption keys across servers for data movement.

    ddlgen -XOD generates DDL that includes a system encryption password (if it was set and DDL is generated for a key encrypted with a system encryption password) and DDL for keys.