Manage Encryption Keys

You can encrypt database columns using keys that are created with user-defined or login passwords.

Encryption Keys

In each database, you can create a key that encrypts columns. Creating a key on each database minimizes cross-database key integrity problems. Such key problems can happen in distributed systems, particularly when you are dumping and loading, or mounting and unmounting databases.

Note: You can create encryption keys only you have:
  • System security officer or key custodian role
  • Permissions to execute create encryption key
If you are a key owner, allow other users to access encryption keys by either:
  • Creating an encryption key with a user-defined password and sharing it with each user who accesses key-encrypted data, or

  • Giving each user a copy of the base encryption key, and allowing him or her to change the key-copy password.

Encryption Keys with User-Defined Passwords

Using encryption keys with user-defined passwords creates a highly secure system in which even database owners and system administrators cannot access encrypted data. You can also require that the key encryption method itself use a user-defined password.

SAP ASE provides recovery for lost base-key passwords.

When data is encrypted, system security officers, key-custodians, and users with permission to create encryption keys can also create base keys. System security officers can also grant base key creation permission to users who have no other permissions.

The creator of the base key is the "key owner." To control access to encrypted data, only key owners and system security officers can change the base-key password.

Encryption Keys with Login Passwords

To prevent users from having to keep multiple passwords, you can authorize users to access encrypted data using their login password. Using login passwords to access key-encrypted data:
  • Gives users access to encrypted data without requiring them to explicitly supply passwords.

  • Involves fewer passwords for users to track.

  • Reduces the need for the key custodian to replace lost passwords.

Key Copies

Key owners can allow data access to other users by making copies of the base key—called key copies. A key copy is an additional password for the base key that can be changed as soon as it is assigned to a user, or key-copy owner. Only the key-copy owner can change the key-copy password.

You can make key copies for designated users if you are the base-key owner or a system security officer. Key copies of the base key are not new keys themselves; they are additional passwords for the base key. Key-copy assignees should change their user-defined password for as soon as the key copy is assigned to them.

The key copy is encrypted with the login password as soon as the assignee logs in and accesses the key copy.

Note: The base key can be encrypted by the system encryption password or a user-defined password. Key copies can be encrypted by a login password or by a user-defined password. The recovery key copy can be encrypted only by a user-defined password. Keys that are encrypted with the system encryption password cannot have key copies.

Key recovery requires you to create a special key copy, called the recovery key, that is designated for the recovery of the base key. If you lose your password, use the recovery key to access the base key.

Related tasks
Creating an Encrypted Database
Encrypting an Existing Database
Suspending the Encryption Process
Resuming the Encryption Process
Decrypting an Encrypted Database
Suspending the Decryption Process
Resuming the Decryption Process
Creating a Master Key
Creating a Database Encryption Key