There are actually two keys between the user and the data: the column-encryption key (CEK) and the key-encryption key (KEK). The CEK encrypts data and users must have access to it before they can access encrypted data. It cannot be stored on disk in an unencrypted form. Instead, Adaptive Server uses a KEK, or 2 KEKs iin dual-control, to encrypt the CEK when you create or alter an encryption key. The KEK also decrypts the CEK before you can access decrypted data. CEKs are stored in encrypted form in sysencryptkeys.
The KEK is a master key, created separately by the system security officer or key custodian, is an internally derived key from the system encryption password, a user-specified password, or a login password, depending on how you specify the key’s encryption with the create and alter encryption key statements. Both the system encryption password and the master key are stored in encrypted form.
Figure 2-2 describes creating and storing a column encryption key for a create encryption key statement. The KEK is derived from a password and the KEK and the raw CEK are fed into the encryption function to produce an encrypted CEK.
Figure 2-2: Steps to create an encryption key
Figure 2-3 describes how the KEK is used during a DML operation to decrypt the CEK. The raw CEK is then used to encrypt or decrypt data.
Figure 2-3: Accessing a CEK to encrypt or decrypt on DML statement