Command Summary

./p11tool2 slot=<slot_no> Label=<token_label> Login=ADMIN,ADMIN.key InitToken=<SO_PIN>

Initialize PKCS#11 token and create Security Officer (SO) credentials

./p11tool2 slot=<slot_no> LoginSO=<SO_PIN> InitPin=<CryptoUser_PIN>

Initialize Crypto User PIN for the PKCS#11 slot

./p11tool2 LoginUser=<CryptoUser_PIN> ListObjects

List cryptographic objects stored in the HSM

isql -S<SAP Server Name> -Usa

Connect to SAP Sybase ASE using ISQL utility

SELECT @@VERSION

Display SAP Sybase ASE server version

SELECT @@SERVERNAME

Display SAP Sybase ASE server name

shutdown

Gracefully shut down the SAP Sybase ASE server

$SYBASE/$SYBASE_ASE/bin/startserver -f RUN_SAP01

Start the SAP Sybase ASE server name, eg:SAP01

sp_configure 'enable encrypted columns', 1

Enable database and column-level encryption features

sp_configure 'external keystore', 0, 'hsm'

Configure HSM as external keystore in ASE

sp_encryption 'hsm_credential' , ' lib=<pkcs11 library name>; pin=<crypto user pin>; slot=<slot number>'

Store HSM PKCS#11 library, slot and credentials in ASE

create encryption key master with keylength 256 init_vector random

Create HSM-backed ASE master encryption key

sp_encryption helpkey

Display all encryption keys configured in ASE

create database <database_name>

Create database for Transparent Data Encryption testing

create encryption key <DEK_name> for database encryption

Create Database Encryption Key (DEK)

alter database <database_name> encrypt with <DEK_name>

Encrypt database using the DEK

alter database <database_name> decrypt

Decrypt the encrypted database

select dbencryption_status('status', db_id('<database name>'))

Check encryption status of the database

drop encryption key <key_name>

Drop the encryption key

create encryption key <hsm key name> on external keystore with keylength 256 init_vector random

Create a new encryption key directly on HSM

select * from <table name>

Verify data access before and after encryption