Transparent Data Encryption OpenEdge 10.2B

Transparent Data EncryptionOpenEdge 10.2B [email protected]

-, , 2(812) 438.19.91, 371.00.22, , .3, .3 (495) 616.00.53, 616.00.54http://www.csbi.ru [email protected]

? ( 65% 20% )


?


TDE? SAT-II SAT-I


OpenEdge TDE: 10.2 Enterprise


TDE?


TDE?EncryptDecrypt&Key StorePolicy AreaRead I/OWrite I/OKey StoreDatabase Master KeyAdmin/User PassphraseManual/Automatic AuthenticationEncryption Policy AreaEncryption Policy () ()


: Database Master Key (DMK) DMK Passphrase (PROBKUP)

The Key StoreYour database backup is not complete until you have made an OS backup or copy of your keystore. (15525)?


Passphrase : 8 2048 : [a-zA-Z0-9]!@#$%^& *()_+-{}[]|\,./?;: : 1 : 2 :1 : 0 : :


DMK


The Encryption Policy , , LOB (SAT-II) (SAT-I)AI/BI (Encryption Policy Area) EPOLICY MANAGE, Data Admin, OpenEdge SQL DDL, , online


ID 0NULLNULL--1AESCBC128BINARY2AESCBC192BINARY3AESCBC256BINARY4DESCBC56BINARY5DES3CBC168BINARY7RC4ECB128BINARY



1: . SAT-IIe Encryption Policy Area:12,32;64 . f 1024e . PROSTRC ADD/ADDONLINE prostrct add mydb encrypt.st prostrct list mydb


2: .proutil -C enableencryption [-Cipher ] [-Autostart]

[-biencryption enable | disable][-aiencryption enable | disable]

BI (offline) .ks Encryption Policy Area Passphrase (User/Admin) DMK AI BI, AutostartManual/Automatic

!


. 3. EPOLICY MANAGEData AdminOpenEdge SQL DDL


3: Epolicy Manageproutil -C epolicy manage encrypt | cipher | rekey -Cipher < num >----------------------------------------------------------------------------------------------------------------------------------------------------------$ proutil sports -C epolicy manage area encrypt "TestArea1" Encryption policy setting for Area TestArea1 in Area 7 (15504)Cipher specification setting to AES_CBC_128 completed. (15491) ----------------------------------------------------------------------------------------------------------------------------------------------------------$ proutil sports -C epolicy scan area "TestArea1" OpenEdge Release 10.2B1B as of Thu Jul 30 19:00:21 EDT 2009AREA TestArea1 / 7 CURRENT AES_CBC_128 V:0 79 of 1784 blocks encrypted ----------------------------------------------------------------------------------------------------------------------------------------------------------$ proutil sports -C epolicy manage area update "TestArea1" OpenEdge Release 10.2B1B as of Thu Jul 30 19:00:21 EDT 2009AREA TestArea1 / 7 CURRENT AES_CBC_128 V:0 1705 of 1784 blocks encrypted ----------------------------------------------------------------------------------------------------------------------------------------------------------

(object-type = Area) SAT-I Table, Index, LOB SAT-II : Dump & LoadPROUTIL EPOLICY MANAGE UPDATE


3: Data Admin: Admin -> Security -> Encryption Policies -> Edit Encryption Policy SAT-II PUB :D&LEPOLICY UPDATE


3: OpenEdge SQL DDLCREATE TABLE PUB.enctab1 (encid int, encdes int, encdt varchar(25)) AREA "TestArea2" ENCRYPT WITH 'AES_CBC_192'; COMMIT; CREATE INDEX idx1ON PUB.ENCTAB1(encid ASC)AREA "TestArea2"ENCRYPT WITH 'AES_CBC_192';COMMIT; ALTER TABLE PUB.ENCTAB1 SET ENCRYPT WITH 'AES_CBC_128';COMMIT; ALTER TABLE PUB.ENCTAB1SET ENCRYPT REKEY;COMMIT;ALTER TABLE PUB.ENCTAB1SET DECRYPT;COMMIT;$ proutil sports -C epolicy manage table update ENCTAB1

SHOW ENCRYPT ON ALL [ TABLE | INDEX | LOB ];OBJECT TYPEOBJECT NAMEOBJECT TABLEOBJECT OWNEROBJECT IDOBJECT POLICY STATEOBJECT POLICY CIPHERSPECPOLICY VERSIONTABLEENCTAB1ENCTAB1PUB855CURRENTAES_CBC_1920INDEXIDX1ENCTAB1PUB2428CURRENTAES_CBC_1920AREATestArea17CURRENTAES_CBC_1280


3: Data Definition File (.df)ADD TABLE "ENCTAB1" AREA "TestArea2" DUMP-NAME "ENCTAB1"

ADD FIELD "ENCID" OF "ENCTAB1" AS integer FORMAT "->,>>>,>>9" INITIAL "?" POSITION 2 MAX-WIDTH 4 ORDER 10

ADD FIELD "ENCDT" OF "ENCTAB1" AS character FORMAT "x(8)" INITIAL "?" POSITION 4 MAX-WIDTH 25 LENGTH 0 ORDER 30 CASE-SENSITIVE

ADD INDEX "IDX1" ON "ENCTAB1" AREA "TestArea2" PRIMARY INDEX-FIELD "ENCID" ASCENDING

UPDATE TABLE "ENCTAB1" ENCRYPTION YES CIPHER-NAME AES_CBC_192

.PSCencpolicy=yescpstream=ibm866.0000000605

UPDATE TABLEENCRYPTION YESCIPHER-NAME DEFINITION TRAILERencpolicy=yes


TDE OpenEdge ReplicationTDE Source Target

BI Target Target

AI Target

Encryption Policy Area

(dbname.ks), Source


TDE OpenEdge ReplicationTDE OE Replication offline / online Target Encryption Policy Area Source Target Source Source (dbname.ks) Source Target:Source Target .Target


proutil -C epolicy manage object-type cipher object-name -Cipher 0proutil -C epolicy manage object-type update object-name TDEproutil -C disableencryption [-Passphrase] [ [-userid userid] [-password password]] BI ( offline) AI , .ks .ksbk.


Buffer Hit Rate (-B) (-B2) SAT-II ( + )


! OpenEdge 10.2B: Transparent Data Encryption [email protected]

?

* , , , , , . ! , - , , . , , ! ? OpenEdge 10.2B Transparent Data Encryption. , , 152-.

, , ., , , . OpenEdge TDE OpenEdge - , . , , . TDE.TDE : TDE , , , , . TDE , , , . , TDE . , , , . .

: TDE , SAT-I, , SAT-II. , .

: TDE , .. . , . , , . , TDE. -, , 10.2B, .-, TDE , , , OpenEdge Replication, . -, TDE Enterprise .

, TDE . , , . , , , , . - , , .. .., , . , Database Master Key (DMK). , . Passphrase, : Admin User Passphrase. , , . , TDE, , , , , .. . , Encryption Policy Area., , TDE. . , , .KS. TDE. . Database Master Key, . , . . .. TDE PROBKUP ? , , , . , , . , , PROBKUP. .. , . , . , ? , . , - , , , - . , . , . , Passphrase. Passphrase, , , , , TDE. Passphrase (User), , - . , , ... , Passphrase .Passphrase , , . , . Passphrase . Passphrase. . , . .. , , , Passphrase . , . .. , . Passphrase , . , :Admin Passphrase , .User Passphrase , . Admin/User Passphrase . , c Admin, User Passphrase. User Passphrase, , , Admin Passphrase. , , , - . , . .. , .

, Database Master Key . , .Advanced Encryption Standard(AES) - ( 128 , 128/192/256 ) DES(Data Encryption Standard)- , , . AES.RC4- , . . , SAT-I, , LOB SAT-II. . BI AI . Encryption Policy Area. .

, .. Epolicy Manage, Data Admin, OE SQL.

, , online. , 0 ., , . 128 . , , . DES (Triple DES) . , , , , . 56 ; . , DES, , , , PBE Passphrase. ? , , - , , 128 . : . , ,

Encryption Policy Area, e. Encryption Policy Area Schema Area. SAT-II. , Encryption Policy Area , , . , , 8 . (RPB) , . , , , , PRB BPC.

, PROUTIL ENABLEENCRYPTION , AI BI . After-Imaging , . online, BI AI BI , .. .

Schema Area, .

TDE , . . . , , SAT-I, , SAT-II. , , . , , , , . , . Proutil Epolicy Manage , , , . SAT-I encrypt TestArea1, , , AES-128. , , scan. , 79 1784. , , , .. , , . , , , - . , , , , . .. . , , UPDATE EPOLICY MANGE. , . , online, . Data Admin Edit Encryption Policy. online . , SAT-II, PUB , , Admin Passphrase.

.

. , OpenEdge SQL . , .. , LOB , SAT-II CREATE INDEX ENCRYPT WITH. OpenEdge SQL . SAT-II. ALTER TABLE . SET, ENCRYPT REKEY, , LOB . online. REKEY, . SET DECRYPT , , .

(.df) . 10.2B ENCRYPTION YES CIPHER-NAME . , Progress 10.2B, . encpolicy=yes, , Transparent Data Encryption. TDE OE Replication. : , .. SOURCE TARGET. TARGET SOURCE , , TARGET SOURCE . Before-image TARGET SOURCE . Before-image , online, , offline, Before-image. After-image SOURCE online, offline. TARGET After-image , After-image TARGET . Before-image After-image SOURCE TARGET . , SOURCE Before-image , TARGET . Encryption Policy Area BI AI

, After-image , , TARGET . , TCP/IP , , After-image . SOURCE . , SOURCE TARGET SOURCE .

TDE DISABLEENCRYPTION. , :.. .! , , ., , , update. . .

Disable encryption, , , , .

Documents

Transparent Data Encryption OpenEdge 10.2B