We want to encrypt a Sybase SQL Anywhere version 10 database with AES-FIPS. I went to this document: http://www.sybase.com/detail?id=1054418

It explains how to create a new database, or even change an encryption key on an existing encrypted db. But it does not go into encrypting an existing database.

Any suggestions?

asked 26 Feb '13, 18:12

ESP's gravatar image

ESP
106449
accept rate: 0%


Have a look at the CREATE ENCRYPTED FILE statement in the 10.0.1 documentation. You will need to run this statement for each of the files (e.g. main dbspace + dbspaces + transaction log file) that are associated with your database. When you are encrypting a database from a database that is not encrypted do not include the "OLD key" clause when running the statement.

Note that in v11.0.1 and v12 you can use the CREATE ENCRYPTED DATABASE statement that will do all of the files in one step.


Note that strongly encrypted (as opposed to 'simple' obfuscation) SQL Anywhere databases are always encrypted using AES, and there is no difference between AES and AES_FIPS except for the code that is used to do the actual encryption/decryption. I.e. AES and AES_FIPS are compatible. If you want to encrypt your database with the FIPS implementation of AES then just be sure to start your database server with the -fips switch. Note however that FIPS support is a separately licensed option that you must purchase in order to use it.

permanent link

answered 26 Feb '13, 18:59

Mark%20Culp's gravatar image

Mark Culp
23.4k9132275
accept rate: 40%

edited 27 Feb '13, 03:52

Volker%20Barth's gravatar image

Volker Barth
31.5k318461676

Thanks for your help. I am actually trying that right now. Here is the syntax I am using in iSQL:

CREATE ENCRYPTED FILE 'c:encrypteddbdatabase.db' FROM 'c:database.db' KEY 'encryptionkey' ALGORITHM 'AES';

Unfortunately it does not work. I get an error message that "database is active" and the statement fails to execute.

I then try the same process without connecting to the existing database in iSQL, thinking it is giving me an error due to being connected to the database. The error I receive when not connected to the database is "You are not connected to a database." Seems sort of like a chicken or the egg scenario. If I am connected to the db I get one error, if I am not I get another.

(26 Feb '13, 19:14) ESP
Replies hidden
1

When working on the database files (to create an encrypted copy or to change the key or to decrypt them) the files must not be active. i.e. the database must not be started on any server. Shutdown your database and then connect to another database (e.g. use utility_db) and then run the statement(s).

(26 Feb '13, 19:17) Mark Culp
1

Thank Volker for adding 11.0.1 - I had thought that that feature was new in 12 but you are correct, the feature was added in 11.0.1.

(27 Feb '13, 07:26) Mark Culp
Replies hidden
1

Well, the help is quite good in showing when a certain feature was added - just type "create encrypted database" in the help index and look for a "version xx new feature" entry or the like.

So the thanks should go to the doc team:)

(27 Feb '13, 08:43) Volker Barth

Thanks for the help! I was able to get the database to encrypt by connecting to a different database, but next time will use utility_db.

One crazy thing I noticed is that Sybase stores the ODBC encryption key in the computers registry, under HKEY_CURRENT_USER\Software\ODBC\dsnname !!!!

This seems rather insecure. Is there a way around this so not as to store a sensitive key in the systems registry in plain text?

(01 Mar '13, 12:22) ESP
2

Well, it stores the DBKEY there only if you add it to the DSN...

You can either enter the DBKEY on database start (dbsrv10 -ep) or store it in a configuration file (used with dbsrv10 @data) and encryptobfuscate that configuration file via the DBFHide tool...

(01 Mar '13, 12:31) Volker Barth
showing 2 of 6 show all flat view
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×34

question asked: 26 Feb '13, 18:12

question was seen: 7,257 times

last updated: 01 Mar '13, 13:35