Creates a strongly encrypted copy of a database file, transaction log, transaction log mirror, or dbspace.

Syntax

CREATE ENCRYPTED FILE newfile
FROM oldfile
{ KEY key | KEY key OLD KEY oldkey }
[ ALGORITHM { 
   'AES' 
   | 'AES256' 
   | 'AES_FIPS' 
   | 'AES256_FIPS' } ]

Parameters

Remarks

Use this statement when your database requires recovery and you need to create an encrypted copy of the database for support reasons. You must also use this statement to encrypt any database-related files such as the transaction log, transaction log mirror, or dbspace files.

When encrypting the database-related files, you must specify the same algorithm and key for all files related to the same database.

If oldfile has dbspaces or logs associated with it and you encrypt those too, you must ensure that the new name and location of those files is stored with the new database. To do so:

You can use this statement to change the encryption algorithm and key for a database. However, the CREATE ENCRYPTED FILE statement produces a new file (newfile), and does not replace or remove the previous version of the file (oldfile).

The name of the transaction log file remains the same in this process, so if the database and transaction log file are renamed, then you need to run dblog -t on the resulting database.

You can also encrypt an existing database or change an existing encryption key by unloading and reloading the database using the dbunload -an option with either -ek or -ep.

If you have a database on which table encryption is enabled, you cannot encrypt the database using this statement. However, you can use this statement to change the key used for table encryption. To encrypt a database that has table encryption enabled, use the CREATE ENCRYPTED DATABASE statement. See CREATE ENCRYPTED DATABASE statement.

This statement is not supported in procedures, triggers, events, or batches.

Permissions

Must be a user with DBA authority.

On Windows Mobile, the AES_FIPS and AES256_FIPS algorithms are only supported with ARM processors.

Side effects

None.

See also

• Encrypting and decrypting a database
• CREATE ENCRYPTED DATABASE statement
• CREATE DECRYPTED FILE statement
• Unload utility (dbunload)
• Transaction Log utility (dblog)

Standards and compatibility

Example

The following example encrypts the contacts database and creates a new database called contacts2 that is encrypted with AES_FIPS encryption.

CREATE ENCRYPTED FILE 'contacts2.db'
FROM 'contacts.db'
   KEY 'Sd8f6654*Mnn'
   ALGORITHM AES_FIPS;

The following example encrypts the contacts database and the contacts log file, renaming the both files. You will need to run dblog -ek Sd8f6654*Mnn -t contacts2.log contacts.db, since the log has been renamed and the database file still points to the old log.

CREATE ENCRYPTED FILE 'contacts2.db'
   FROM 'contacts.db'
   KEY 'Sd8f6654*Mnn';
CREATE ENCRYPTED FILE 'contacts2.log'
   FROM 'contacts.db'
   KEY 'Sd8f6654*Mnn';

The following example encrypts the contacts database and the contacts log file, leaving the original log file name untouched. In this case, you do not need to run dblog, since the name of the file remains the same.

CREATE ENCRYPTED FILE 'newpath\contacts.db'
   FROM 'contacts.db'
   KEY 'Sd8f6654*Mnn';
CREATE ENCRYPTED FILE 'newpath\contacts.log'
   FROM 'contacts.log'
   KEY 'Sd8f6654*Mnn';

To change the encryption key for a database, first create a copy of the database file using the new key, as shown in this statement:

CREATE ENCRYPTED FILE 'newcontacts.db'
 FROM 'contacts.db' 
 KEY 'newkey' OLD KEY 'oldkey';

Once you have created the encrypted file, delete contacts.db and then rename newcontacts.db to be contacts.db.