cancel
Showing results for 
Search instead for 
Did you mean: 

Need advice/steps setting upTDE on ASE 16 with 70 dbs mix of rep /non rep dbs refreshed to targets

db1231
Newcomer
0 Kudos
142

Is there a write up commands to setup Sybase TDE encryption at rest to setup on the prod - DR servers with a mix of replicated and non replicated dbs and a daily refresh to the UAT for selective dbs. For exmple - if I have 70 dbs  on ASE server, do I need to create 70 encryption keys and decrypt/encrypt with every database scheduled daily. Tried following manuals, not getting it right.

View Entire Topic
c_baker
Product and Topic Expert
Product and Topic Expert
0 Kudos

You can use one DEK for all databases.

Once encrypted, you do not have to decrypt a database.  Use 'transfer encryption key' (https://help.sap.com/docs/SAP_ASE/e0d4539d39c34f52ae9ef822c2060077/ab8a5e079bae4204b0be90db9e115d06....) to extract the master key and the DEKs from the source ASE and install them into the target/replica ASE so loads/replication work.

Chris

c_baker
Product and Topic Expert
Product and Topic Expert
0 Kudos
Apologies. The writeup you are looking for is probably the 'Database Encryption' doc at https://help.sap.com/docs/SAP_ASE/833788dd3e9c413799014a0fd002d0b2/a6648bc9bc2b1014b48885ebe86c6f54....
c_baker
Product and Topic Expert
Product and Topic Expert
0 Kudos

I would also recommend using a master key so automatic master key access can be configured for the ASEs so they start up with access to the encrypted databases. Otherwise encrypted databases cannot be accessed during recovery when the ASE server starts until a session is connected and unlocks the master key (step 2 below).
The steps to set up automatic master key access are:
1. Create/transfer master key
2. set encryption passwd '<master key password>' for key master
3. sp_configure "automatic master key access", 1
4. alter encryption key master with passwd '<password>' add encryption for automatic_startup
5. create/transfer DEK(s)
The encrypted master key (step 4) is stored by default at a location shown by 'sp_encryption mkey_startup_file, null' and can be changed before running step 4, but must be in a folder readable by the ASE when it starts. 

Chris