I am looking for a way to create my own TDE status report, showing the encryption status of areas and objects.
I thought it might be similar to ABP status, i.e. that I would find a flag in _Area or _StorageObject that I could parse but that doesn't seem to be the case. I checked the Data Dictionary encryption report code and it seems to be using a private API to get encryption status.
The best I have managed so far is to write a program to iterate over storage areas and application objects and, for each one, shell out and run a proutil epolicy view command and pipe in the passphrase. But this command requires me to provide the keystore admin passphrase (which seems odd), whereas the Data Dictionary does not; it just requires the user to be a security administrator.
Also, this approach is sub-optimal because it exposes the passphrase in the command lines of the sub-shells (e.g. os-command silent value( substitute( "echo '&1' | proutil &2 -C epolicy view table &3 -Passphrase", v-admin-phrase, ldbname(1), _file-name ) ) ).
Is there a better way to do this? Is there an accessible schema field that indicates object encryption status, or are these statuses only in _sec-*-policy tables that are inaccessible from ABL?
before you enabled encryption, you added a storage area. in that area there is a table that has all the encryption info for the encrypted objects. 1 or 2 rows per object.
Correct. It contains _sec-db-policy, _sec-obj-policy, and _sec-pwd-policy. I can't read them.
find first _sec-db-policy.
Unknown or ambiguous table _sec-db-policy. (725)
** Could not understand line 1. (196)
I am guessing the AVM contains a restriction to prevent those tables from being accessed.
Just for kicks, I also tried adding "-Passphrase" to my client command line, and provided the admin passphrase. The AVM still doesn't (claim to) see the table.