CREATE ENCRYPTED DATABASE statement

Creates an encrypted copy of an existing database, including all transaction logs and dbspaces. You can also use this statement to create a copy of a database and enable table encryption in the copy.

Syntax 1 - Create an encrypted copy of a database
CREATE ENCRYPTED DATABASE newfile
FROM oldfile
[ KEY newkey ] 
[ OLD KEY oldkey ]
[ ALGORITHM algorithm
algorithm : 
   | 'SIMPLE'
   | 'AES' 
   | 'AES256' 
   | 'AES_FIPS'
   | 'AES256_FIPS'
Syntax 2 - Create a copy of a database with table encryption enabled
CREATE ENCRYPTED TABLE DATABASE newfile
FROM oldfile
[ KEY newkey ] 
[ OLD KEY oldkey ]
[ ALGORITHM algorithm ]
Parameters
  • ENCRYPTED DATABASE clause   Use this clause to specify a name for the new encrypted database.

  • ENCRYPTED TABLE DATABASE clause   Use this clause to specify a name for the new database. The new database is not encrypted, but has table encryption enabled.

  • FROM clause   Use this clause to specify the name of the original database (oldfile).

  • KEY clause   If algorithm-key is anything other than SIMPLE, use this clause to specify the encryption key for newfile.

  • OLD KEY clause   Use this clause to specify the encryption key for oldfile. This clause is only required if oldfile is encrypted with anything other than SIMPLE encryption.

  • ALGORITHM clause   Use this clause to specify the encryption algorithm to use for newfile. If you specify a KEY clause but do not specify the ALGORITHM clause, AES (128-bit encryption) is used by default. If you specify SIMPLE for algorithm, you do not specify a KEY clause.

Remarks

oldfile can be an unencrypted database, an encrypted database, or a database with table encryption enabled.

Syntax 1 takes an existing database, oldfile, and creates an encrypted copy of it, newfile.

Syntax 2 takes an existing database, oldfile, and creates a copy of it, newfile, with table encryption enabled. When you use this syntax, any tables encrypted in oldfile are encrypted in newfile as well. If no tables were encrypted in oldfile, but you want to encrypt them, you can execute an ALTER TABLE ... ENCRYPTED statement on each table you want to encrypt. See ALTER TABLE statement.

Neither syntax replaces or removes oldfile.

If oldfile uses transaction log or transaction log mirror files, they are renamed newfile.log and newfile.mlg respectively.

If oldfile contains dbspace files, an E (for encrypted) is added to the file name. For example, when you execute the CREATE ENCRYPTED DATABASE statement, the file mydbspace.dbs is changed to mydbspace.dbsE.

You can use this statement to change the encryption algorithm and key for a database. However, the CREATE ENCRYPTED DATABASE statement produces a new file (newfile), and does not replace or remove the previous version of the file (oldfile).

CREATE ENCRYPTED DATABASE and CREATE ENCRYPTED TABLE DATABASE cannot be run against a database that requires recovery. Also, these statements are not supported in procedures, triggers, events, or batches.

For more information about simple and strong encryption, see Simple encryption, and Strong encryption.

You can also encrypt an existing database or change an existing encryption key by unloading and reloading the database using the dbunload -an option with either -ek or -ep. See Using the dbunload utility to rebuild databases.

You can also create an encrypted database, or a database with table encryption enabled, using the CREATE DATABASE statement. See CREATE DATABASE statement.

Note

FIPS is not available on all platforms. For a list of supported platforms, see [external link] http://www.sybase.com/detail?id=1002288.

Permissions

Must be a user with DBA authority.

Side effects

None.

See also
Standards and compatibility
  • SQL/2003   Vendor extension.

Example

The following example creates an encrypted copy of the demo database called demoEnc.db. The new database is encrypted with AES256 encryption.

CREATE ENCRYPTED DATABASE 'demoEnc.db'
   FROM 'demo.db'
   KEY 'Sd8f6654*Mnn'
   ALGORITHM 'AES256';

The following example creates a copy of the demo database called demoTableEnc.db. Table encryption is enabled on the new database. Since a key was specified with no algorithm, AES encryption is used.

CREATE ENCRYPTED TABLE DATABASE 'demoTableEnc.db'
   FROM 'demo.db'
   KEY 'Sd8f6654';