Dual Control and Split Knowledge

Use SAP Control Center to manage dual-control and split-knowledge encryption.

You can use a combination of system keys at the database level, called the master key and the dual-master key. You must have sso_role or keycustodian_role to create the master key and dual master key. The master key and the dual master key must have different owners.

With SAP Control Center, you can provide passwords for the master keys using the Supply Password option for encryption keys. You can also use the Execute SQL option to provide the password using SQL. The passwords to both these keys are not stored in the database.

Master and dual-master keys act as key encryption keys (KEKs), and protect other keys, such as column encryption keys and service keys. Once created, master and dual-master keys become the default protection method for column encryption keys. There can only be one master and one dual-master key for a database.

The dual-master key is needed only for dual control of column encryption keys. Once the master key is created, it replaces the system encryption password as the default key encryption key for user-created keys.

A composite key, comprising the master key and dual-master key, provides dual control and split-knowledge security for all user-created keys. Alternately, you can create a composite key using the master key and the column encryption key’s password. When master and dual-master keys are configured in a database, the combination is used to encrypt passwords when you issue create table, alter table or select into commands specifying dual control.

Related tasks
Creating a Master Key
Modifying, Regenerating, and Deleting a Master Key
Executing SQL Statements
Related reference
Master Key Properties