SAP Sybase ASE supports Transparent Data Encryption for protecting data at rest. The key protection using an External Keystore (HSM) is achieved through an envelope encryption model. The database is encrypted using a Database Encryption Key (DEK), which performs the actual data encryption. This DEK is protected by the ASE master key, which acts as a Key Encryption Key (KEK) within the database. The ASE master key itself is then protected by an external key stored in the HSM via PKCS#11.
