Creating a strongly-encrypted database

To create a new database with strong encryption, you can use:

  • The Database Initialization utility (dbinit) in combination with various options to enable strong encryption.

    The dbinit utility -ep and -ek options create a database with strong encryption, allowing you to specify the encryption key in a prompt box or on the command line. The dbinit -ea option sets the encryption algorithm to AES or AES256 (or to AES_FIPS or AES256_FIPS for the FIPS-approved algorithm). See Initialization utility (dbinit).

    You can also use the Sybase Central Create Database Wizard to create a strongly encrypted database. See Creating databases (Sybase Central).

  • The ENCRYPTION clause in the CREATE DATABASE statement. The KEY option sets the encryption key and the ALGORITHM option sets the encryption algorithm to AES or AES256 (or to AES_FIPS or AES256_FIPS for the FIPS-approved algorithm). See CREATE DATABASE statement.
  • The Unload Database utility (dbunload) with options to create a new database with strong encryption. The -an option creates a new database. To specify strong encryption and the encryption key in a prompt box or on the command line use the -ep or -ek option. The -ea option sets the encryption algorithm to AES or AES256 (or to AES_FIPS or AES256_FIPS for the FIPS-approved algorithm). See Unload utility (dbunload).

    You can also use the Sybase Central Unload Database Wizard to create a strongly encrypted database. See Using the Unload Database Wizard.

On Windows Mobile, the AES_FIPS and AES256_FIPS algorithms are only supported with ARM processors.

Note

FIPS is not available on all platforms. For a list of supported platforms, see [external link] SQL Anywhere Supported Platforms and Engineering Support Status.

To create a strongly encrypted database (SQL)

  1. Connect to an existing database from Interactive SQL.

  2. Execute a CREATE DATABASE statement that includes the ENCRYPTION clause and the KEY and ALGORITHM options.

    For example, the following statement creates a database file named myencrypteddb.db in the c:\ directory using FIPS-approved 128-bit AES encryption.

    CREATE DATABASE 'c:\\myencrypteddb.db'
    TRANSACTION LOG ON
    ENCRYPTED ON
      KEY '0kZ2o52AK#'
      ALGORITHM 'AES_FIPS';

To create a strongly encrypted database (command prompt)

  1. Use the dbinit utility to create a database. You must include -ek or -ep to specify the encryption key at the command prompt or a window, respectively.

    The following command creates a strongly encrypted database and specifies the encryption key and algorithm.

    dbinit -ek "0kZ2o56AK#" -ea AES_FIPS "myencrypteddb.db"
  2. Run the following command to start the database:

    dbeng11 myencrypteddb.db -ek "0kZ2o56AK#"

For more information about the encryption key, see DatabaseKey connection parameter [DBKEY].

If you have a database you want to encrypt, you can do so using the CREATE ENCRYPTED FILE statement. You are not actually overwriting the file; you are creating a copy of the file in encrypted form.

To encrypt a database after it has been created

  1. Encrypt an unencrypted database using the CREATE ENCRYPTED FILE statement.

    The following example takes the database file current.db, and creates an encrypted copy of it named encrypted.db.

    CREATE ENCRYPTED FILE 'encrypted.db'
    FROM 'current.db'
    KEY 'abc'
    ALGORITHM 'AES';
  2. Using the same encryption key information, and following the file name convention you used for the database file, encrypt the associated transaction log file(s), dbspace file(s), and mirror log file (if any), using the CREATE ENCRYPTED FILE statement. See CREATE ENCRYPTED FILE statement.

You cannot encrypt a database if table encryption is enabled. Instead, you must recreate the database without table encryption. Also, you cannot use the CREATE ENCRYPTED FILE statement to enable table encryption for a database. To enable encryption on a database, you must recreate the database and enable table encryption. See Enabling table encryption.

You can decrypt a database using the CREATE DECRYPTED FILE statement. As with the CREATE ENCRYPTED FILE statement, you are creating a copy of the file (in this case, in decrypted form), and not actually overwriting the file. You must remember to decrypt not only the database file, but also the associated log files, and dbspaces. See CREATE DECRYPTED FILE statement.