To create a new database with strong encryption, you can use:
The Database Initialization utility (dbinit) in combination with various options to enable strong encryption.
The dbinit utility -ek option and -ep options create a database with strong encryption, allowing you to specify the encryption key in a prompt box or on the command line. The dbinit -ea option sets the encryption algorithm to AES or AES_FIPS for the FIPS-approved algorithm. See Initialization utility (dbinit).
The ENCRYPTION clause in the CREATE DATABASE statement. The KEY option sets the encryption key and the ALGORITHM option sets the encryption algorithm to AES or AES_FIPS for the FIPS-approved algorithm. See CREATE DATABASE statement.
You can also use the Sybase Central Create Database wizard to create a strongly encrypted database.
The Unload Database utility (dbunload) with options to create a new database with strong encryption. The -an option creates a new database. To specify strong encryption and the encryption key in a prompt box or on the command line use the -ek or -ep option. The -ea option sets the encryption algorithm to AES or AES_FIPS for the FIPS-approved algorithm.
You can also use the Sybase Central Unload Database wizard to create a strongly encrypted database.
For more information, see Using the Unload Database wizard, and Unload utility (dbunload).
Connect to an existing database from Interactive SQL.
Execute a CREATE DATABASE statement that includes the ENCRYPTION clause and the KEY and ALGORITHM options.
For example, the following statement creates a database file named myencrypteddb.db in the c:\ directory using FIPS-approved AES encryption.
CREATE DATABASE 'c:\\myencrypteddb' TRANSACTION LOG ON ENCRYPTED ON KEY '0kZ2o52AK#' ALGORITHM 'AES_FIPS';
At a command prompt, use the dbinit utility to create a database. You must include -ek or -ep to specify the encryption key at the command prompt or a dialog box, respectively.
The following command creates a strongly encrypted database and specifies the encryption key and algorithm.
dbinit -ek "0kZ2o56AK#" -ea AES_FIPS "myencrypteddb.db"
Start the database from the command prompt.
dbeng10 myencrypteddb.db -ek "0kZ2o56AK#"
For more information about the encryption key, see DatabaseKey connection parameter [DBKEY].
If you have a database you want to encrypt, you can do so using the CREATE ENCRYPTED FILE statement. You are not actually overwriting the file, you are creating a copy of the file in encrypted form.
NoteYou cannot encrypt a database if table encryption is enabled. Instead, you must recreate the database without table encryption. |
Encrypt an unencrypted database using the CREATE ENCRYPTED FILE statement.
The following example takes the database file current.db, and creates an encrypted copy of it named encrypted.db.
CREATE ENCRYPTED FILE encrypted.db FROM current.db KEY abc ALGORITHM AES;
Using the same encryption key information, and following the file name convention you used for the database file, encrypt the associated transaction log file(s), dbspace file(s), and mirror log file (if any), using the CREATE ENCRYPTED FILE statement. See CREATE ENCRYPTED FILE statement.
NoteAlthough you can use the CREATE ENCRYPTED FILE statement to encrypt an unencrypted database, you cannot use the statement to enable only table encryption for a database that does not have encryption enabled. To enable encryption on a database, you must recreate the database and enable table encryption. See Enabling table encryption. |
You can decrypt a database using the CREATE DECRYPTED FILE statement. As with the CREATE ENCRYPTED FILE statement, you are creating a copy of the file (in this case, in decrypted form), and not actually overwriting the file. You must remember to decrypt not only the database file, but also the associated transaction log files, and dbspace(s). See CREATE DECRYPTED FILE statement.