00509324-TDE Encryption between Replication sites - does the

Posted by papatel on 19-Sep-2019 16:04

Hello,

I have a customer (Ovid Technologies, inc) who is asking if the traffic over the replication ports are fully encrypted using TDE or only the data configured with TDE is encrypted?

Here is the customer questions/description:

"We have OpenEdge databases with TDE configured on certain tables. We have been asked to look into using OpenEdge Replication for a coming project.

As part of the coming project we are improving our security to meet corporate standards.

My question is, if we configure out OpenEdge databases (currently using TDE) to use SSL connections for clients, and we setup a replication set with OpenEdge Replication, is the traffic over the replication ports fully encypted (as a 4GL client session would be),

OR will only the data configured with TDE encryption be encrypted? I checked the knowledge base and found topics relating to TDE and Replication, but nothing indicating whether (or how to) encypt traffic over the replication ports."

Based on looking at knowledge base and some research: I think only the data will be encrypted when in disk. They would have to use SSL for secure traffic for replication.

Please let me know if anyone have opinion or insight on this/feedback.

Thank you in advance!

Regards,

Parth

OpenEdge Deployment - Forum

Posted by Jeff Owen on 20-Sep-2019 19:24

The customer can consider encrypting the After Image areas with TDE if they want OE Replication to transfer data in an encrypted state. Note that AI data is encrypted by default when enabling encryption and AI is enabled at the time:

https://documentation.progress.com/output/ua/OpenEdge_latest/index.html#page/dmadm/running-enableencryption.html#wwID0EIKAR

If AI is not enabled when TDE is enabled, AI data can later be configured for encryption after AI has been enabled.

https://documentation.progress.com/output/ua/OpenEdge_latest/index.html#page/dmadm%2Fenabling-ai-file-encryption-after-enabling-encry.html%23

The OE Replication server transfers AI data to the OE Replication Agent at the block level. So, in a TDE environment with encryption enabled for AI areas, the Replication server will transfer data in an encrypted state.

hth.

-jeff

Posted by Dapeng Wu on 23-Sep-2019 14:09

The traffic between a replication source and target database is basically AI notes (in AI blocks). These notes records the changes of actual data in the database. For example, a record has been updated.

In TDE, data and AI can be encrypted separately. For example, a table may not be encrypted; but if AI encryption is enabled, then all the AI data, including the ones that record the changes of this non-encrypted table, will still be encrypted. TDE provides encryption for data on disk and in transit. So as Jeff has mentioned earlier, AI encryption will make sure all the sensitive data used by replication is protected.

Also note that even with AI encryption enabled, OE Replication will not encrypt all the traffic --- some non-sensitive, administrative network messages will not be encrypted.

All Replies