CREATE ENCRYPTED FILE newfile
FROM oldfile
{ KEY key | KEY key OLD KEY oldkey }
[ ALGORITHM { 
   'AES' 
   | 'AES256' 
   | 'AES_FIPS' 
   | 'AES256_FIPS' } ]

Use this statement when your database requires recovery and you need to create an encrypted copy of the database for support reasons. You must also use this statement to encrypt any database-related files such as the transaction log, transaction log mirror, or dbspace files.

You cannot be connected to the database you are creating the encrypted file for. You must be connected to a different database. For example, connect to the utility database. The database that you are encrypting must not be running.

When encrypting the database-related files, you must specify the same algorithm and key for all files related to the database.

If oldfile has dbspaces or transaction log files associated with it and you encrypt those too, you must ensure that the new name and location of those files is stored with the new database. To do so:

You can use this statement to change the encryption algorithm and key for a database. However, the CREATE ENCRYPTED FILE statement produces a new file (newfile), and does not replace or remove the previous version of the file (oldfile).

The name of the transaction log file remains the same in this process, so if the database and transaction log file are renamed, then you need to run dblog -t on the resulting database.

You can also encrypt an existing database or change an existing encryption key by unloading and reloading the database using the dbunload -an option with either -ek or -ep.

If you have a database on which table encryption is enabled, you cannot encrypt the database using this statement. However, you can use this statement to change the key used for table encryption. To encrypt a database that has table encryption enabled, use the CREATE ENCRYPTED DATABASE statement.

FIPS-certified encryption is not supported for use with Windows Mobile.

This statement is not supported in procedures, triggers, events, or batches.

Your ability to execute this statement depends on the setting for the -gu database option, and whether you have the SERVER OPERATOR system privilege.

None.

• CREATE ENCRYPTED DATABASE statement
• Database encryption and decryption
• CREATE ENCRYPTED DATABASE statement
• CREATE DECRYPTED FILE statement
• CREATE DECRYPTED DATABASE statement
• Unload utility (dbunload)
• Transaction Log utility (dblog)
• -gu database server option

The following example encrypts the sample database demo.db and creates a new database called demo2.db that is encrypted with AES_FIPS encryption. The new database file is placed in the server's current working directory.

CREATE ENCRYPTED FILE 'demo2.db'
FROM 'C:\\Users\\Public\\Documents\\SQL Anywhere 16\\Samples\\demo.db'
   KEY 'Sd8f6654*Mnn'
   ALGORITHM 'AES_FIPS';

The following example encrypts the sample database demo.db and its transaction log file demo.log. The new database and log files are placed in the server's current working directory. You must run dblog -ek Sd8f6654*Mnn -t demo3.log demo3.db, since the new database file demo3.db still points to the old log file.

CREATE ENCRYPTED FILE 'demo3.db'
   FROM 'C:\\Users\\Public\\Documents\\SQL Anywhere 16\\Samples\\demo.db'
   KEY 'Sd8f6654*Mnn';
CREATE ENCRYPTED FILE 'demo3.log'
   FROM 'C:\\Users\\Public\\Documents\\SQL Anywhere 16\\Samples\\demo.log'
   KEY 'Sd8f6654*Mnn';

To change the encryption key for a database, first create a copy of the database file using the new key, as shown in this statement:

CREATE ENCRYPTED FILE 'newdemo.db'
   FROM 'C:\\Users\\Public\\Documents\\SQL Anywhere 16\\Samples\\demo.db' 
 KEY 'newkey' OLD KEY 'oldkey';

The new database file is placed in the server's current working directory. Once you have created the encrypted file, delete demo.db, move newdemo.db to the same directory as the old file, and then rename it to be demo.db.