Security Guide > Using Data Encryption > Implications of Database Encryption for Database Design and Operations
Was this helpful?
Implications of Database Encryption for Database Design and Operations
An encrypted database cannot contain tables with column encryption. An existing database containing tables with column encryption cannot be directly converted into an encrypted database. In such a database the tables with column encryption first must be manually recreated without table column encryption. Existing data in such tables must be unloaded before recreating the tables so that it can be loaded again afterwards.
When the passphrase is changed, the main key is decrypted using the old passphrase, re-encrypted using the new passphrase, and then replaced in its storage location. The user data is not re-encrypted because only the passphrase — not the underlying table encryption keys — has changed.
If the option NEWKEY is specified, the meta data containing the table keys is decrypted with the old database key and re-encrypted with the new database key. To perform this, a full write lock on the database is needed, and depending on the size of the meta data involved it can be a computationally expensive operation.
If a backup or replication method works at the binary level by transferring and applying journal records, the original table and the replicate table must use the same table key. This will be the case if the replicate system originally was copied at the binary level (and since then neither the main key was changed with the NEWKEY option, nor the table key was changed via ALTER KEYS).
Encrypted data is usually unique at the binary level for each database. But outside of the database the data is not protected in the same manner. When data is copied to a flat file, it is unprotected. Such files should use an external protection method, such as password encrypting the entire file, or writing it to an encrypted device or file system.
Encryption and Copydb/Unloaddb Considerations
Database encryption does not protect data outside the database, including files generated by the copydb, unloaddb, and genxml utilities.
Backups taken by performing a checkpoint of encrypted databases contain the data in encrypted form. Therefore the backups cannot be compressed because the uniqueness at the binary level of encrypted data makes it unsuitable for data compression.
Last modified date: 01/27/2026