Adaptive Server does not allow access to data through the recovery key copy. A key recovery copy exists only to provide a backup for accessing the base key.
Set up a recovery key copy using:
alter encryption key keyname with passwd base_key_passwd add encryption with passwd recovery_passwd for user key_recovery_user for recovery
where:
base_key_passwd – is the password the key custodian assigned to the base key.
recovery_passwd – is the password used to protect the key recovery copy.
key_recovery_user – user assigned the responsibility for remembering a password for key recovery.
After setting the key recovery copy, the key custodian shares the password with the key recovery user, who can alter the password using:
alter encryption key keyname with passwd old_recovery_passwd modify encryption with passwd new_recovery_passwd for recovery
During key recovery, the key recovery user tells the key custodian the password of the key recovery copy. The key custodian restores access to the base key using:
alter encryption key keyname with passwd recovery_key_passwd recover encryption with passwd new_base_key_passwd
where:
recovery_key_passwd – is the password associated with the key recovery copy, shared with the key custodian by the recovery key user. Adaptive Server uses the recovery_key_passwd to decrypt the key recovery copy to access the raw key.
new_base_key_passwd – is the password used to encrypt the raw key. Adaptive Server updates the base key row in sysencryptkeys with the result.
You may also need to change ownership of the key to another key custodian. See “Changing ownership of encryption keys”.
This example shows how to set up the recovery key copy and use it for key recovery after losing a password:
The key custodian creates a new encryption key protected by a password.
create encryption key key1 for AES passwd 'loseitl8ter'
The key custodian adds a encryption key recovery copy for key1 for “charlie”.
alter encryption key key1 with passwd 'loseitl8ter' add encryption with passwd 'temppasswd' for user charlie for recovery
“charlie” assigns a different password to the recovery copy and saves this password in a locked drawer:
alter encryption key key1 with passwd 'temppasswd' modify encryption with passwd 'finditl8ter' for recovery
If the key custodian loses the password for base key, he can obtain the password from “charlie” and recover the base key from the recovery copy using:
alter encryption key key1 with passwd 'finditl8ter' recover encryption with passwd 'newpasswd'
The key custodian now shares access to key1 with other users by sharing the base key’s password, or by dropping and adding key copies where changes in personnel have occurred.
