Encrypt an Existing Database

In SAP ASE version 16.0, you can encrypt an unencrypted database using the alter database command.

Depending on the size of the database, encryption might can take a while. For this reason, the command returns as soon as the database is marked for encryption. Encryption occurs in the background and the process is transparent to users. To check on the status and progress of database encryption, run the sp_helpdb system procedure, the dbencryption_status() built-in function, or the SAP Control Center user interface. Keep in mind:

Database encryption occurs while the database is online. This means the database is accessible by other users while it is being encrypted, and does not require you to put it into single-user mode.
The encryption process does not interrupt any user queries, updates, or insert operations on the database.
You can suspend and resume database encryption, so that you can resume encrypting the database after restarting SAP ASE.
The encryption operation is executed page by page.
You cannot alter archive databases for encryption and decryption.
SAP ASE records the encryption progress of a database and provides utilities to report its status.

Restrictions:

You cannot encrypt the master, model, dbccdb, and dbccalt databases.
You cannot decrypt a database that is in the process of being encrypted, or encrypt a database that is being decrypted.
You cannot unmount a database while it is in the process of being encrypted.
You cannot load another database on top of a database that is being encrypted.
Do not execute commands that shrink database size when the database is being encrypted.

The syntax is:

alter database database_name
{encrypt with key_name [parallel degree_of_parallelism]
| resume encryption [parallel degree_of_parallelism]
| suspend encryption
}

where:

encrypt with key_name instructs SAP ASE to encrypt the database using key_name.
Specifically, the command retrieves the corresponding key ID from the sysencryptkeys system table in the master database and set the encrkeyid column in its related sysdatabases row.
SAP ASE fails to run alter database and displays an error message if the database is already:
- Encrypted with another key.
- Being encrypted.
If you run this command on a partially encrypted database that is not currently being encrypted, SAP ASE treats the command as if you specified the resume encryption option, as long as the key name is the same as the previously specified key.
parallel degree_of_parallelism determines how many worker threads to initiate for the task.
Create a thread for each database storage virtual device, as long as the number is equal to or fewer than "number of worker processes" configuration. The degree_of_parallelism number should be no larger than the number of database devices because additional worker threads do not improve encryption performance. If you do not specify degree_of_parallelism, SAP ASE internally defines the value based on the number of online engines, as well as how the database is distributed across various devices.
resume encryption resumes the encryption process from the page where encryption was previously suspended.
The command fails if:
- There is an encryption process already running in SAP ASE.
- Encryption was never started on the database.
- The encryption process already completed.
You can use parallel degree_of_parallelism with resume encrypt.
suspend encryption terminates all encryption worker threads that are encrypting data. SAP ASE records the progress of encryption so that resume encryption can restart encryption where the previous encryption process stopped. SAP ASE ignores this command if there is no encryption in progress.

This example alters an existing database called existdb for encryption using an encryption key called dbkey:

alter database existdb encrypt with dbkey

The example does not specify the parallel degree, leaving it up to SAP ASE to determine how many worker threads should be initiated to encrypt existdb in parallel.

In addition to the parallel degree, another major factor that affects database encryption performance is the buffer pool size. A sufficient buffer cache and appropriate size of buffer pool enable SAP ASE to load a large chunk of pages into memory for every disk read, perform encryption, and write them back.

The following example shows the steps you can take to configure both the buffer cache and buffer pool size for a database called demodb that will be encrypted:

Create a specific data cache for demodb:
```
sp_cacheconfig demodb_cache, '10M'
```
This creates a named buffer cache called demodb_cache with 10MB of space for database pages.
Create the specific size of buffer pool . The buffer pool size should be 8 times of database page size. For example, the database page size is 2K by default, therefore the buffer pools size should be 8 x 2 = 16K:
```
sp_poolconfig demodb_cache, '10M' , '16k'
```
This creates a 10MB buffer pool of buffers with a size that is 16K in the named cache called demodb_cache.
Bind the database to the buffer cache:
```
sp_bindcache demodb_cache, demo_db
```