Strong encryption

Strong database encryption technology makes a database inoperable and inaccessible without a key (password). An algorithm encodes the information contained in your database and transaction log files so they cannot be deciphered.

Caution

For strongly encrypted databases, be sure to store a copy of the key in a safe location. If you lose the encryption key there is no way to access the data, even with the assistance of technical support. The database must be discarded and you must create a new database.

Supported strong encryption algorithms

The algorithm used to implement SQL Anywhere strong encryption is AES: a block encryption algorithm chosen as the new Advanced Encryption Standard (AES) for block ciphers by the National Institute of Standards and Technology (NIST). It has many properties that lend itself well to encryption of SQL Anywhere databases in terms of performance and size.

You can also specify a separate FIPS-approved AES algorithm for strong encryption using the AES_FIPS (128-bit) or AES256_FIPS (256-bit) type. When the database server is started with the -fips option, you can run databases encrypted with AES, AES256, AES_FIPS, or AES256_FIPS strong encryption, but not databases encrypted with simple encryption. Unencrypted databases can also be started on the server when -fips is specified. See -fips server option.

The SQL Anywhere security option must be installed on any computer used to run a database encrypted with AES_FIPS or AES256_FIPS.

Separately licensed component required

ECC encryption and FIPS-certified encryption require a separate license. All strong encryption technologies are subject to export regulations.

See Separately licensed components.

Note

FIPS is not available on all platforms. For a list of supported platforms, see [external link] http://www.sybase.com/detail?id=1061806.

Controlling strong encryption settings for your database

In SQL Anywhere, the database administrator has control over four aspects of strong encryption, including: strong encryption status, the encryption key, protection of the encryption key, and the encryption algorithm.

Although you cannot simply turn strong encryption on or off in an existing database, you can choose from three options when it comes to implementing strong encryption. You can either create a database from scratch with strong encryption, you can rebuild an existing database and change the encryption status at that time, or you can use the CREATE ENCRYPTED DATABASE statement on an existing database.

You can rebuild the database to unload all the data and schema of an existing database. This creates a new database (at which point you can change a variety of settings including strong encryption status), and reloads the data into the new database. You need to know the key to unload a strongly encrypted database.