In SAP ASE version 16.0, you can encrypt an unencrypted database using the
alter database command.
Depending on the size of the database,
encryption might can take a while. For this reason, the command returns as soon as the
database is marked for encryption. Encryption occurs in the background and the process
is transparent to users. To check on the status and progress of database encryption, run
the sp_helpdb system procedure, the
dbencryption_status() built-in function, or the SAP Control
Center user interface. Keep in mind:
- Database encryption occurs while the database is online. This means the database
is accessible by other users while it is being encrypted, and does not require
you to put it into single-user mode.
- The encryption process does not interrupt any user queries, updates, or insert
operations on the database.
- You can suspend and resume database encryption, so that you can resume
encrypting the database after restarting SAP ASE.
- The encryption operation is executed page by page.
- You cannot alter archive databases for encryption and decryption.
- SAP ASE records the encryption progress of a database and provides utilities to
report its status.
Restrictions:
- You cannot encrypt the master, model,
dbccdb, and dbccalt databases.
- You cannot decrypt a database that is in the process of being encrypted, or
encrypt a database that is being decrypted.
- You cannot unmount a database while it is in the process of being
encrypted.
- You cannot load another database on top of a database that is being
encrypted.
- Do not execute commands that shrink database size when the database is being
encrypted.
The syntax is:
alter database database_name
{encrypt with key_name [parallel degree_of_parallelism]
| resume encryption [parallel degree_of_parallelism]
| suspend encryption
}
where:
- encrypt with key_name instructs SAP ASE to
encrypt the database using key_name.
Specifically, the
command retrieves the corresponding key ID from the
sysencryptkeys system table in the
master database and set the encrkeyid
column in its related sysdatabases row.
SAP ASE fails
to run
alter database and displays an error message if
the database is already:
- Encrypted with another key.
- Being encrypted.
If you run this command on a partially encrypted database that is not
currently being encrypted, SAP ASE treats the command as if you specified
the
resume encryption option, as long as the key name is
the same as the previously specified key.
- parallel degree_of_parallelism determines
how many worker threads to initiate for the task.
Create a thread for each
database storage virtual device, as long as the number is equal to or fewer
than "number of worker processes" configuration. The
degree_of_parallelism number should be no larger than
the number of database devices because additional worker threads do not
improve encryption performance. If you do not specify
degree_of_parallelism, SAP ASE internally defines the
value based on the number of online engines, as well as how the database is
distributed across various devices.
- resume encryption resumes the encryption process from the page
where encryption was previously suspended.
The command fails if:
- There is an encryption process already running in SAP ASE.
- Encryption was never started on the database.
- The encryption process already completed.
You can use parallel
degree_of_parallelism with
resume encrypt.
- suspend encryption terminates all encryption worker threads
that are encrypting data. SAP ASE records the progress of encryption so that
resume encryption can restart encryption where the previous
encryption process stopped. SAP ASE ignores this command if there is no
encryption in progress.
This example alters an existing database called
existdb for encryption
using an encryption key called
dbkey:
alter database existdb encrypt with dbkey
The
example does not specify the parallel degree, leaving it up to SAP ASE to determine how
many worker threads should be initiated to encrypt
existdb in
parallel.
In addition to the parallel degree,
another major factor that affects database encryption performance is the buffer pool
size. A sufficient buffer cache and appropriate size of buffer pool enable SAP ASE to
load a large chunk of pages into memory for every disk read, perform encryption, and
write them back.
The following example shows the steps you can take to configure both the buffer cache and
buffer pool size for a database called
demodb that will be encrypted:
- Create a specific data cache for
demodb:
sp_cacheconfig demodb_cache, '10M'
This
creates a named buffer cache called demodb_cache with 10MB of
space for database pages.
- Create the specific size of buffer pool . The buffer pool size should be 8 times
of database page size. For example, the database page size is 2K by default,
therefore the buffer pools size should be 8 x 2 =
16K:
sp_poolconfig demodb_cache, '10M' , '16k'
This creates
a 10MB buffer pool of buffers with a size that is 16K in the named cache called
demodb_cache.
- Bind the database to the buffer cache:
sp_bindcache demodb_cache, demo_db