Users, roles, and data access  Changing a key’s protection method

Chapter 7: Protecting Data Privacy from the Administrator

Key protection using user-specified passwords

Use create encryption key to associate a password with a key:

create encryption key [[db.][owner].]keyname  [as default]
	[for algorithm_name] 
	[with {[keylength num_bits]
	[passwd 'password_phrase'] 
	[init_vector {NULL | random}]
	[pad {NULL | random}]}]

Where password_phrase is a quoted alphanumeric string of up to 255 bytes in length that Adaptive Server uses to generate thekey encryption key (KEK).

Adaptive Server does not save the user-specified password. It saves a string of validating bytes known as the “salt” in sysencryptkeys.eksalt, which allows Adaptive Server to recognize whether a password used on a subsequent encryption or decryption operation is legitimate for a key. You must supply the password to Adaptive Server before you can access any column encrypted by keyname.

When you create an encryption key, its entry in the sysencryptkeys table is known as the base key. For some users and applications, the base key, encrypted by either the master key, the system encryption password, or an explicit password, is sufficient. Any explicit password is shared among users requiring access to the key. Additionally, you can create key copies for different users and applications. Each key copy can be encrypted by an individual password and is stored as a separate row in sysencryptkeys. An encryption key is always represented by one base key and zero or more key copies.

This example shows how to use passwords on keys, and the key custodian’s function in setting up encryption. The password on the key is shared among all users who have a business need to process encrypted data.

  1. Key custodian “razi” creates an encryption key:

    create encryption key key1 
     with passwd 'Worlds1Biggest6Secret'

  2. “razi” distributes the password to all users who need access to encrypted data.

  3. Each user enters the password before processing tables with encrypted columns:

    set encryption passwd 'Worlds1Biggest6Secret' 
     for key razi.key1

  4. If the key is compromised because an unauthorized user gained access to the password, “razi” alters the key to change the password.




Copyright © 2011. Sybase Inc. All rights reserved. Changing a key’s protection method

View this document as PDF