Overview of ASE database encryption
Beginning with 16.0, SAP ASE supports the Database Encryption feature. The SAP ASE Database Encryption feature encrypts the data at rest, without changing the applications. This encryption can be done on entire databases or only on columns. This ensures that the authorized users access the data and thus prevents the misuse of the data against theft and security breaches.
Data is encrypted with the help of encryption keys. These encryption keys are stored in the database in an encrypted form. You can encrypt an encryption key using a key encryption key (KEK).
In the SAP ASE Database Encryption, column and database encryption uses a symmetric encryption algorithm, which means that the same key is used for encryption and decryption. SAP ASE tracks the key that encrypts the data.
Starting 6.0.8.0, Delphix Engine will support the SAP ASE encrypted databases.
For more information on SAP ASE Database Encryption, see the SAP ASE Encryption Documentation
Delphix implementation of database encryption
This topic describes various configurations to support encrypted databases with Delphix. Follow the mandatory steps below on the ASE instance that hosts the staging databases and virtual databases.
If the source database is not encrypted already.
Install the license option ASE_ENCRYPTION.
Create a master key that will serve as the KEK.
Command
NONE> create encryption key master with passwd "sybase"
If the database is not encrypted already, create the database encryption key and use it.
Commands
CODE> create encryption key <encryption-key-name> for database encryption > sp_configure "number of worker processes", 2 > alter database <database-name> encrypt with <encryption-key-name>
Export the master key and the encryption key to a location that is shared among source, staging, and target hosts. The command-line version of the ddlgen tool is located at $SYBASE/$SYBASE_ASE/bin. You need to find out this location for your instance if it is different.
cd $SYBASE/$SYBASE_ASE/bin
ddlgen -Usa -Psybase -SASE160_SRC -TEK -N master.dbo.master -XOD -O<shared-path>/master_ddl.sql
ddlgen -Usa -Psybase -SASE160_SRC -TEK -N master.dbo.<key_name> -XOD -O<shared-path>/<key_name>_ddl.sql
Enable encryption in SAP ASE by executing the below command on the staging/target instance.
Command
CODE> sp_configure 'enable encrypted columns', 1
Import the keys on the staging and target instances by running the below commands from the directory where the SQL files are present (the shared location between instances) or mention the entire path of the files to be imported.
isql -Usa -Psybase -SASE160_TGT -w 220 -i master_key.sql
isql -Usa -Psybase -SASE160_TGT -w 220 -i <key_name>.sql
Set the encryption password by executing the below command on the staging/target instance.
Command
CODE> set encryption passwd "sybase" for key master
Setup for automatic master key access. Refer create the master key start-up file. In order to avoid issues on the master key password after the reboot of the ASE instance, a master key startup file needs to be created by running the following steps on the staging and the target instance.
Command
CODE> sp_configure 'automatic master key access',1
Command
CODE> alter encryption key master with passwd 'sybase' add encryption for automatic_startup
Command
CODE> sp_encryption mkey_startup_file,default_location,sync_with_mem
Verify if the master key startup file has been successfully created on the instance.
Command
CODE> sp_encryption mkey_startup_file
Reboot the ASE instance to get the master key startup file in effect.
If you perform a reboot or plan to perform a reboot on the source host, then you would need to repeat step 4 on the source host as well. By doing so, you don't need to set the master key password again after reboot.