EncryptFile and EncryptFiles
The EncryptFile and EncryptFiles actions mark the specified file or files as encrypt-pending by generating the symmetric key for each specified map file, encrypting it with the master key, and storing it in the map file in the pending keyset slot.
The syntax of these EncryptFile and EncryptFiles actions are as follows.
jdbcrypt path=database-path ini=initialization-file-name action=EncryptFile|EncryptFiles File=file-name | File1=file-name File2=file-name …| Files=file-name;file-name;… [NoPassPhrase=true]
Alternatively, you can use the EncryptFile action to change the mandatory full encryption state, as follows.
jdbcrypt path=database-path ini=initialization-file-name action=EncryptFile MandatoryFullEncryption=true|false [NoPassPhrase=true]
The EncryptFile and EncryptFiles actions require the manual entry of the master key passphrase.
The following is an example of the EncryptFile action.
jdbcrypt path=d:\dbcrypt ini=d:\salesdb\jade.ini action=EncryptFile File=annualsales
The file-name value is a complete map file name or a partial map file name with a trailing asterisk; for example, cust* means all map files that begin with the letters cust.
Specify the file-name mask * (a single asterisk) to indicate encryption of all user files, including rootdef. Specify the mask _* (underscore asterisk) to indicate the encryption of all encryptable system files such as _userscm.
The following are examples of the EncryptFiles action.
jdbcrypt path=d:\dbcrypt ini=d:\salesdb\jade.ini action=EncryptFiles Files=*
jdbcrypt path=d:\dbcrypt ini=d:\salesdb\jade.ini action=EncryptFiles Files=cust*;_userscm;archive*;
jdbcrypt path=d:\dbcrypt ini=d:\salesdb\jade.ini action=EncryptFiles File1=testdb File2=banking File3=_userdev
Map files matching a mask and which are already encrypted are ignored.
The action fails if a complete file name does not match a database map file name. A file name mask with no matches generates a warning.
You can repeat these actions multiple times and you can interleave them with DecryptFile or DecryptFiles actions.
The EncryptFile and EncryptFiles actions only mark the specified files as encrypt-pending; the file contents are not encrypted until the next ApplyPendingChanges action.
When you encrypt a file with downgraded security, specify the NoPassPhrase=true argument to suppress the request for the master key passphrase. By default, the value of this argument is false.
When a new database map file is added to a fully encrypted database, the new file will be unencrypted, which will result in your database being partially encrypted if you forget to specifically encrypt the new file.
Mandatory full encryption does not cause files to be automatically encrypted. No files are automatically encrypted.
If you want to change mandatory encryption of all files in your database, use the EncryptFile action, specifying the MandatoryFullEncryption=true|false argument. When this argument is set to true, the database server rejects attempts to create user objects in unencrypted user data map files. However, objects can be read, updated, and deleted.
New map files added to a database are always added as unencrypted, regardless of the setting of the optional MandatoryFullEncryption argument. Should these files require encryption or the MandatoryFullEncryption argument is set to true, the files must be manually encrypted using the JADE Database Encryption utility (jdbcrypt.exe).
When MandatoryFullEncryption is set to true, it requires that all map files are encrypted before any attempt is made to create new objects in any map file, or exception 3345 (DbCrypt Cannot create user objects in unencrypted files) is raised.
Situations in which a database may be partially encrypted and where MandatoryFullEncryption should be set to false are as follows.
-
Only certain map files contain data sensitive enough to require encryption
-
Map files that can be created by the user logic are unencrypted and as such, would be unable to create objects
If you want to verify the encrypted status of all files in your database, run the ListStatus action regularly.