Encrypting database and log files

The encryption of the entire database (database and log files) is enabled using command-line options -E and -x keypwdfile:filename or -S password.

The procedure for encrypting database and log files is the same regardless of whether you want to use DES or GSKit encryption.

▪To use DES encryption, ensure that General.UseEncryption is set to yes and General.UseGSKit is set to no.

▪To use GSKit encryption, ensure that General.UseGSKit is set to yes, and General.GSKitPath points to the directory where the GSKit library is located.

▪The -E option in the solidDB^® startup command invokes database encryption. The database can be encrypted when creating a new database or when starting an existing database.

▪An encryption password is needed to protect the symmetric encryption key which is stored in an unencrypted header page of the database file. The encryption password is mandatory when -E is specified. The minimum length of the password is three characters. If you specify an empty password, the encryption key is left unprotected.

– The -x keypwdfile:filename option provides the encryption password from a file.

– The -S encryption_password option provides the encryption password as part of the startup command.

Note Providing the password within the startup command is not secure on most of systems. For example in UNIX systems, the password can be seen in the ps command output. Use the -S option only for debugging or evaluation purposes.

▪If you want to create an encrypted database with an externally authenticated database administrator, include the -p option and omit the -P password option that specifies the administrator password.

Creating an encrypted database with an internally authenticated database administrator

1 To use DES encryption, ensure that General.UseEncryption is set to yes (default) and General.UseGSKit is set to no (default).

2 To create an encrypted database, include the -E and -x keypwdfile:<filename> options in the solidDB^® startup command.

Alternatively, you can use the -S <encryption_password> option to specify the encryption password as part of the startup command. For example:

Creating an encrypted database with an externally authenticated database administrator

1 To use GSKit encryption, ensure that General.UseGSKit is set to yes and General.GSKitPath point to the directory where the GSKit library is located.

2 To create an encrypted database where the database administrator is authenticated externally, include the -p, -E, and -x keypwdfile:<filename> options and omit the -P <password> option in the solidDB^® startup command.

▪The option -p specifies that the database administrator with user name soliduser1 is created as an externally authenticated user.

Tip: Alternatively, you can use the -S <encryption_password> option to specify the encryption password as part of the startup command. For example:

The procedure for encrypting database and log files is the same regardless of whether you want to use DES or GSKit encryption.

▪To use DES encryption, ensure that General.UseEncryption is set to yes and General.UseGSKit is set to no.

▪To use GSKit encryption, ensure that General.UseGSKit is set to yes, and General.GSKitPath is set to point to the directory where the GSKit library is located.

To encrypt an existing database, include the -E and s<filename> options in the solidDB^® startup command.

Alternatively, you can use the -S <encryption_password> option to specify the encryption password as part of the startup command. For example: