CREATE ENCRYPTED DATABASE statement

Creates an encrypted copy of an existing database, including all transaction logs and dbspaces.

Syntax 1 - Create an encrypted copy of a database

CREATE ENCRYPTED DATABASE newfile
FROM oldfile
[ KEY newkey ] 
[ ALGORITHM algorithm ]
[ OLD KEY oldkey ]

algorithm : 
   'SIMPLE'
   | 'AES' 
   | 'AES256' 
   | 'AES_FIPS'
   | 'AES256_FIPS'

Syntax 2 - Create a copy of a database with table encryption enabled

CREATE ENCRYPTED TABLE DATABASE newfile
FROM oldfile
[ KEY newkey ] 
[ ALGORITHM algorithm ]
[ OLD KEY oldkey ]

Parameters

CREATE ENCRYPTED DATABASE clause Use this clause to specify a name for the new encrypted database.
CREATE ENCRYPTED TABLE DATABASE clause Use this clause to specify a name for the new database. The new database is not encrypted, but has table encryption enabled.
FROM clause Use this clause to specify the name of the original database (oldfile).
KEY clause If algorithm-key is anything other than SIMPLE, use this clause to specify the encryption key for newfile.
OLD KEY clause Use this clause to specify the encryption key for oldfile. This clause is only required if oldfile is encrypted with anything other than SIMPLE encryption.
ALGORITHM clause Use this clause to specify the encryption algorithm to use for newfile. If you specify a KEY clause but do not specify the ALGORITHM clause, AES (128-bit encryption) is used by default. If you specify SIMPLE for algorithm, you do not specify a KEY clause.

Remarks

You can also use this statement to create a copy of a database and enable table encryption in the copy.

oldfile can be an unencrypted database, an encrypted database, or a database with table encryption enabled.

Syntax 1 takes an existing database, oldfile, and creates an encrypted copy of it, newfile.

Syntax 2 takes an existing database, oldfile, and creates a copy of it, newfile, with table encryption enabled. When you use this syntax, any tables encrypted in oldfile are encrypted in newfile as well. If no tables were encrypted in oldfile, but you want to encrypt them, you can execute an ALTER TABLE...ENCRYPTED statement on each table you want to encrypt.

Neither syntax replaces or removes oldfile.

If oldfile uses transaction log or transaction log mirror files, they are renamed newfile.log and newfile.mlg respectively.

If oldfile contains dbspace files, an E (for encrypted) is added to the file name. For example, when you execute the CREATE ENCRYPTED DATABASE statement, the file mydbspace.dbs is changed to mydbspace.dbsE.

You can use this statement to change the encryption algorithm and key for a database. However, the CREATE ENCRYPTED DATABASE statement produces a new file (newfile), and does not replace or remove the previous version of the file (oldfile).

CREATE ENCRYPTED DATABASE and CREATE ENCRYPTED TABLE DATABASE cannot be executed against a database that requires recovery. These statements are not supported in procedures, triggers, events, or batches.

You can also encrypt an existing database or change an existing encryption key by unloading and reloading the database using the dbunload -an option with either -ek or -ep.

You can also create an encrypted database, or a database with table encryption enabled, using the CREATE DATABASE statement.

Note

Not all platforms support FIPS-certified encryption. For a list of supported platforms, see [external link] http://www.sybase.com/detail?id=1002288.

Permissions

Side effects

Standards and compatibility

Example

The following example creates an encrypted copy of the sample database called demoEnc.db. The new database is encrypted with AES256 encryption.

CREATE ENCRYPTED DATABASE 'demoEnc.db'
   FROM 'demo.db'
   KEY 'Sd8f6654*Mnn'
   ALGORITHM 'AES256';

The following example creates a copy of the sample database called demoTableEnc.db. Table encryption is enabled on the new database. Since a key was specified with no algorithm, AES encryption is used.

CREATE ENCRYPTED TABLE DATABASE 'demoTableEnc.db'
   FROM 'demo.db'
   KEY 'Sd8f6654';

Discuss this page in DocCommentXchange.