Creating an encrypted database

To create an encrypted database, you can use the following:

  • The Database Initialization utility (dbinit) in combination with various options to enable strong encryption.

    The dbinit utility -ep and -ek options create a database with strong encryption, allowing you to specify the encryption key in a prompt box or on the command line. The dbinit -ea option sets the encryption algorithm to AES or AES256 (or to AES_FIPS or AES256_FIPS for the FIPS-approved algorithm). See Initialization utility (dbinit).

  • The Sybase Central Create Database Wizard to create a strongly encrypted database. See Create a database (Sybase Central).

  • The Unload Database utility (dbunload) with options to create a new database with strong encryption. The -an option creates a new database. To specify strong encryption and the encryption key in a prompt box or on the command line use the -ep or -ek option. The -ea option sets the encryption algorithm to AES or AES256 (or to AES_FIPS or AES256_FIPS for the FIPS-approved algorithm). See Unload utility (dbunload).

  • You can also use the Sybase Central Unload Database Wizard to create a strongly encrypted database. See Export data with the Unload Database Wizard.

  • The following SQL statements:

To create an encrypted database (SQL)
  1. Connect to an existing database from Interactive SQL.

  2. Execute a CREATE DATABASE statement that includes the ENCRYPTION clause and the KEY and ALGORITHM options.

    For example, the following statement creates a database file named myencrypteddb.db in the c:\ directory using FIPS-approved 128-bit AES encryption.

    CREATE DATABASE 'c:\\myencrypteddb.db'
    TRANSACTION LOG ON
    ENCRYPTED ON
      KEY '0kZ2o52AK#'
      ALGORITHM 'AES_FIPS';
To create an encrypted database (command prompt)
  1. Use the dbinit utility to create a database. You must include -ek or -ep to specify the encryption key at the command prompt or a window, respectively.

    The following command creates a strongly encrypted database and specifies the encryption key and algorithm.

    dbinit -ek "0kZ2o56AK#" -ea AES_FIPS "myencrypteddb.db"
  2. Run the following command to start the database:

    dbeng11 myencrypteddb.db -ek "0kZ2o56AK#"
To create an encrypted database using an existing database (SQL)
  1. Connect to an existing database (other than the one you are copying) from Interactive SQL.

  2. Encrypt the database using the CREATE ENCRYPTED DATABASE statement.

    The following statement takes the database file demo.db, and creates an AES-encrypted copy of it named encryptedDemo.db.

    CREATE ENCRYPTED DATABASE 'encryptedDemo.db'
    FROM 'demo.db'
    KEY 'abc'
    ALGORITHM 'AES';

    When you execute a CREATE ENCRYPTED DATABASE statement, you are not actually encrypting (overwriting) the file; you are creating a copy of the file in encrypted form. If there are transaction logs, transaction log mirrors, or dbspaces associated with the database, encrypted copies of those files are made as well. See CREATE ENCRYPTED DATABASE statement.

Encrypting a database for technical support

If you have a database that requires recovery and you want to encrypt it to send it to support, you must use the CREATE ENCRYPTED FILE statement. Any database-related files such as the transaction log and transaction log mirrors, and dbspace files, must also be encrypted using this statement. See CREATE ENCRYPTED FILE statement.

Comparison of CREATE ENCRYPTED DATABASE and CREATE ENCRYPTED FILE statements

You should use the CREATE ENCRYPTED DATABASE statement when you have an existing database that you want to encrypt. Use CREATE ENCRYPTED FILE statement only in the case where you have a database you want to encrypt that requires recovery.

Both statements require you to have DBA authority, and you cannot be connected to the database you are encrypting when you execute the statement.

The CREATE ENCRYPTED FILE and CREATE ENCRYPTED DATABASE statements differ from each other as follows:

  • The CREATE ENCRYPTED FILE statement must be executed against each of the database-related files independently (transaction log, transaction log mirror, dbspaces, if any), whereas the CREATE ENCRYPTED DATABASE statement automatically encrypts all the database-related files.

  • The CREATE ENCRYPTED DATABASE statement cannot be used on a database requiring recovery; the CREATE ENCRYPTED FILE statement can.

  • The CREATE ENCRYPTED DATABASE statement cannot be used inside procedures, triggers, or batches. The CREATE ENCRYPTED FILE statement can.

  • The CREATE ENCRYPTED DATABASE statement supports the SIMPLE encryption algorithm, but the CREATE ENCRYPTED FILE statement does not.

See also

For more information about encryption keys, see DatabaseKey connection parameter [DBKEY].

On Windows Mobile, the AES_FIPS and AES256_FIPS algorithms are only supported with ARM processors.

Note

FIPS is not available on all platforms. For a list of supported platforms, see [external link] http://www.sybase.com/detail?id=1061806.