Read object/area encryption status? - Forum - OpenEdge RDBMS - Progress Community

Read object/area encryption status?

 Forum

Read object/area encryption status?

This question is not answered

I am looking for a way to create my own TDE status report, showing the encryption status of areas and objects. 

I thought it might be similar to ABP status, i.e. that I would find a flag in _Area or _StorageObject that I could parse but that doesn't seem to be the case.  I checked the Data Dictionary encryption report code and it seems to be using a private API to get encryption status. 

The best I have managed so far is to write a program to iterate over storage areas and application objects and, for each one, shell out and run a proutil epolicy view command and pipe in the passphrase.  But this command requires me to provide the keystore admin passphrase (which seems odd), whereas the Data Dictionary does not; it just requires the user to be a security administrator. 

Also, this approach is sub-optimal because it exposes the passphrase in the command lines of the sub-shells (e.g. os-command silent value( substitute( "echo '&1' | proutil &2 -C epolicy view table &3 -Passphrase", v-admin-phrase, ldbname(1), _file-name ) ) ).

Is there a better way to do this?  Is there an accessible schema field that indicates object encryption status, or are these statuses only in _sec-*-policy tables that are inaccessible from ABL?

All Replies
  • before you enabled encryption, you added a storage area. in that area there is a table that has all the encryption info for the encrypted objects. 1 or 2 rows per object.

  • Correct.  It contains _sec-db-policy, _sec-obj-policy, and _sec-pwd-policy.  I can't read them.

    find first _sec-db-policy.
    
    Unknown or ambiguous table _sec-db-policy. (725)
    **  Could not understand line 1. (196)          

    I am guessing the AVM contains a restriction to prevent those tables from being accessed.

  • Just for kicks, I also tried adding "-Passphrase" to my client command line, and provided the admin passphrase.  The AVM still doesn't (claim to) see the table.