R
Rob Fitzpatrick
Guest
I am looking for a way to create my own TDE status report, showing the encryption status of areas and objects. I thought it might be similar to ABP status, i.e. that I would find a flag in _Area or _StorageObject that I could parse but that doesn't seem to be the case. I checked the Data Dictionary encryption report code and it seems to be using a private API to get encryption status. The best I have managed so far is to write a program to iterate over storage areas and application objects and, for each one, shell out and run a proutil epolicy view command and pipe in the passphrase. But this command requires me to provide the keystore admin passphrase (which seems odd), whereas the Data Dictionary does not; it just requires the user to be a security administrator. Also, this approach is sub-optimal because it exposes the passphrase in the command lines of the sub-shells (e.g. os-command silent value( substitute( "echo '&1' | proutil &2 -C epolicy view table &3 -Passphrase", v-admin-phrase, ldbname(1), _file-name ) ) ). Is there a better way to do this? Is there an accessible schema field that indicates object encryption status, or are these statuses only in _sec-*-policy tables that are inaccessible from ABL?
Continue reading...
Continue reading...