Adaptive Server version 15.7 and later provide dual-control and split-knowledge encryption.
Adaptive Server allows you to use a combination of system keys at the database level called the master key and the dual master key. You must have sso_role or keycustodian_role to create the master key and dual master key. The master key and the dual master key must have different owners.
With Sybase Control Center, you can provide passwords for the master keys using the Supply Password option for encryption keys. You can also use the Execute SQL option of the Administration Console to provide the password using SQL. The passwords to both these keys are not stored in the database.
Master and dual master keys act as key encryption keys (KEKs), and are used to protect other keys, such as column encryption keys and service keys. Once created, master and dual master keys become the default protection method for column encryption keys. There can only be one master and one dual master key for a database.
The dual master key is needed only for dual control of column encryption keys. Once the master key is created, it replaces the system encryption password as the default key encryption key for user-created keys.
A composite key comprising the master key and dual master key provides dual control and split-knowledge security for all user-created keys. Alternately, a composite key may also be created using the master key and the column encryption key’s password. When master and dual master keys are configured in a database, Adaptive Server uses the combination to encrypt passwords when you issue create table, alter table or select into commands specifying dual control.