SQL Anywhere Studio Security Guide
Keeping Your Data Secure
As a database administrator, you can use database encryption to make it more difficult for someone to decipher the data in your database. You can choose to secure your database either with simple or with strong encryption.
Simple encryption is equivalent to obfuscation and makes it more difficult for someone using a disk utility to look at the file to decipher the data in your database. Simple encryption does not require a key to encrypt the database. Simple encryption technology is supported in previous versions of SQL Anywhere.
Strong database file encryption technology makes the database inoperable without the key (password). As well, it scrambles the information contained in your database and transaction log files so they cannot be deciphered simply by looking at the files using a disk utility. The data is completely inaccessible without the key.
Two algorithms have been chosen to implement strong encryption: AES, a block encryption algorithm chosen as the new Advanced Encryption Standard (AES) for block ciphers by the National Institute of Standards and Technology (NIST); and MDSR, a new 56-bit algorithm developed by Casio.
A database can be strongly encrypted using the ENCRYPTION and KEY options with the CREATE DATABASE statement. Similarly, the database administrator can initialize a database using the dbinit utility in combination with various options to enable strong encryption. You can also use the Sybase Central Create Database wizard to create a strongly encrypted database. Using the dbinit utility with the -ea option enables strong encryption and sets the algorithm to either AES or MDSR. Using the dbinit utility in combination with the -ek or -ep option enables strong encryption and indicates whether the key is to be specified in a prompt box or at the command prompt.
To create a strongly encrypted database (SQL)
Connect to an existing database from Interactive SQL.
Execute a CREATE DATABASE statement that includes the ENCRYPTION and KEY options. For example, the following statement creates a database file named myencrypteddb.db in the C:\ directory.
CREATE DATABASE 'c:\\myencrypteddb' TRANSACTION LOG ON ENCRYPTED ON KEY '0kZ2o52AK#' ALGORITHM 'MDSR'
To create a strongly encrypted database (command prompt)
At a command prompt, use the dbinit utility to create a database. You must include the following options:
-ea to specify the encryption algorithm.
-ek or -ep to specify the encryption key and whether you want to enter it at the command prompt or in a dialog box.
The following command (entered all on one line) creates a strongly encrypted database and specifies that the encryption key is entered as part of the command.
dbinit -ea MDSR -ek "0kZ2o56AK#" "myencrypteddb.db"
Start the database from the command prompt.
dbeng9 myencrypteddb.db -ek "0kZ2o56AK#"
For more information about the encryption key, see Encryption Key connection parameter [DBKEY].
As with most passwords, it is best to choose a key value that cannot be easily guessed. We recommend that you choose a value for your key that includes between 8 and 30 digits, a combination of upper and lower case characters, and numbers, letters, and special characters.
Be sure to store a copy of your key in a safe location. You require the key each time you want to start or modify the database. A lost key will result in a completely inaccessible database, from which there is no recovery.
Controlling strong encryption
Performance issues