You create an encrypted database by using the -encrypt flag on the createdb command. At that time, you are prompted to enter an initial passphrase that will be used to lock and unlock the encrypted database. Createdb leaves an encrypted database unlocked until the DISABLE PASSPHRASE statement is issued and the X100 server is terminated.

When an encrypted database is created, a database encryption key is derived from the randomly generated main key of the database. The database encryption key is kept in shared memory only and is used to encrypt and decrypt the data at rest. Only the main key is persisted and protected by encrypting it with an AES key, called “protection key”, derived from the specified PASSPHRASE. See the diagram in Encryption Key Management that shows how the different keys and the passphrase are related.

The database is unlocked using the ENABLE PASSPHRASE statement that specifies the correct passphrase. The protection key derived from the passphrase is used to decrypt the main key and the database encryption key is derived from the main key. Again, the database encryption key is only kept in shared memory for the encryption and decryption of database data. The statement DISABLE PASSPHRASE or a server shutdown clears the database encryption key from memory and the database is effectively locked. To access the encrypted database again, the statement ENABLE PASSPHRASE must be issued.