Did this article resolve your question/issue?


Your feedback is appreciated.

Please tell us how we can make this article more useful. Please provide us a way to contact you, should we need clarification on the feedback provided or if you need further assistance.

Characters Remaining: 1025



What is Transparent Data Encryption (TDE)?

« Go Back


Article Number000045217
EnvironmentProduct: OpenEdge
Version: 10.2B,11.x
OS: All Supported Operating Systems
Other: Transparent Data Encryption
Question/Problem Description
What is Transparent Data Encryption, how does it work and what can be encrypted?
Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number
The Transparent Data Encryption (TDE) product was introduced in 10.2B.
Transparent Data Encryption, as part of an overall security strategy, provides for data privacy while the data is “at rest” in your OpenEdge database, regardless of the location of the database and who has a copy of it.

Controlling access to private data while “at rest” that is, stored on disk inside your database, is the core of OpenEdge Transparent Data Encryption. OpenEdge combines various cipher algorithms, various encryption key lengths, secure storage of encryption keys, and user access controls to your encryption keys to ensure that your data’s encryption cannot be reversed by anyone other than those granted access.
Each encrypted database has a single, unique Database Master Key (DMK). The DMK is created and managed by your database administrator, and stored in your database key store, which is separate from your database. Your key store is an independent and secure entity that provides secure storage of data encryption keys and controls access in the form of user accounts.
Encryption of your database objects is managed through encryption policies. You define which objects are encrypted and the encryption cipher for the object. Policies are stored in your database in a designated Encryption Policy Area. Object policies use virtual data encryption keys derived from your DMK and the specified cipher. The encryption key for each encrypted database object is unique.
"At Rest" essentially means ON DISK / ON TAPE etc.  Database blocks are decrypted when loaded into memory by authorized Progress executables.  The entire block is encrypted / decrypted, not individual entries within each block.  The encryption/decryption is "transparent" to the connected Progress / SQL92 client.
The Transparent Data Encryption product must be installed in conjunction with an Enterprise Database license.
What can be encrypted:
Type 1 Areas - The entire Type 1 area must be encrypted.
Type 2 Table
Type 2 Index
Type 2 LOB
Before Image (BI) files - encrypted by default.
After Image (AI) files - encrypted by default.
Backup files created with probkup - Always encrypted.
Binary Dump files - not encrypted by default.
Audit Archive - not encrypted by default.
Type 2 Areas cannot be encrypted at the Area level.
References to Other Documentation:
OpenEdge Data Management: Database Administration, Chapter 10: "Transparent Data Encryption"
OpenEdge Getting Started: Core Business Services - Security and Auditing, "Transparent Data Encryption"
Progress Article(s):
Last Modified Date11/3/2015 6:29 PM