cancel
Showing results for 
Search instead for 
Did you mean: 

Encrypting an existing Sybase SQL Anywhere 10 database

Former Member
9,755

We want to encrypt a Sybase SQL Anywhere version 10 database with AES-FIPS. I went to this document: http://www.sybase.com/detail?id=1054418

It explains how to create a new database, or even change an encryption key on an existing encrypted db. But it does not go into encrypting an existing database.

Any suggestions?

Accepted Solutions (1)

Accepted Solutions (1)

MarkCulp
Participant

Have a look at the CREATE ENCRYPTED FILE statement in the 10.0.1 documentation. You will need to run this statement for each of the files (e.g. main dbspace + dbspaces + transaction log file) that are associated with your database. When you are encrypting a database from a database that is not encrypted do not include the "OLD key" clause when running the statement.

Note that in v11.0.1 and v12 you can use the CREATE ENCRYPTED DATABASE statement that will do all of the files in one step.


Note that strongly encrypted (as opposed to 'simple' obfuscation) SQL Anywhere databases are always encrypted using AES, and there is no difference between AES and AES_FIPS except for the code that is used to do the actual encryption/decryption. I.e. AES and AES_FIPS are compatible. If you want to encrypt your database with the FIPS implementation of AES then just be sure to start your database server with the -fips switch. Note however that FIPS support is a separately licensed option that you must purchase in order to use it.

Former Member
0 Kudos

Thanks for your help. I am actually trying that right now. Here is the syntax I am using in iSQL:

CREATE ENCRYPTED FILE 'c:encrypteddbdatabase.db' FROM 'c:database.db' KEY 'encryptionkey' ALGORITHM 'AES';

Unfortunately it does not work. I get an error message that "database is active" and the statement fails to execute.

I then try the same process without connecting to the existing database in iSQL, thinking it is giving me an error due to being connected to the database. The error I receive when not connected to the database is "You are not connected to a database." Seems sort of like a chicken or the egg scenario. If I am connected to the db I get one error, if I am not I get another.

MarkCulp
Participant

When working on the database files (to create an encrypted copy or to change the key or to decrypt them) the files must not be active. i.e. the database must not be started on any server. Shutdown your database and then connect to another database (e.g. use utility_db) and then run the statement(s).

MarkCulp
Participant

Thank Volker for adding 11.0.1 - I had thought that that feature was new in 12 but you are correct, the feature was added in 11.0.1.

VolkerBarth
Contributor

Well, the help is quite good in showing when a certain feature was added - just type "create encrypted database" in the help index and look for a "version xx new feature" entry or the like.

So the thanks should go to the doc team:)

Former Member
0 Kudos

Thanks for the help! I was able to get the database to encrypt by connecting to a different database, but next time will use utility_db.

One crazy thing I noticed is that Sybase stores the ODBC encryption key in the computers registry, under HKEY_CURRENT_USER\\Software\\ODBC\\dsnname !!!!

This seems rather insecure. Is there a way around this so not as to store a sensitive key in the systems registry in plain text?

VolkerBarth
Contributor

Well, it stores the DBKEY there only if you add it to the DSN...

You can either enter the DBKEY on database start (dbsrv10 -ep) or store it in a configuration file (used with dbsrv10 @data) and encryptobfuscate that configuration file via the DBFHide tool...

Answers (0)