Downgrading an Adaptive Server That Uses Encryption

Downgrade an Adaptive Server versions 15.7 and later if you enabled 256-bit key encryption keys.

  1. Set the downgrade_kek_size configuration option to true. This means you must change the key encryption key size to 128 bits.
  2. Run sp_downgrade to find all column encryption keys (CEKs) and key copies that are protected by master keys or by dual control.
  3. Drop dual control for each CEK:
    alter encryption key keyname 
        [with passwd password
        modify encryption
        with no dual_control
  4. Use drop encryption key to drop user and login password-protected key copies.
  5. Create a system encryption password for each database that has master keys:
    sp_encryption system_encr_passwd, <password>
  6. Reencrypt each CEK with the master key:
    alter encryption key keyname
        with passwd master key
        modify encryption
        with passwd system_encr_passwd
    Note: The key owner must perform the reencryption for each CEK, or else the key ownership changes.
  7. Reencrypt all base keys that are protected by user passwords:
    alter encryption key keyname
        with passwd old_password
        modify encryption
        with passwd new_passwd
    Note: The key owner must perform the reencryption for each base key; otherwise, the key ownership changes.
Parent topic: Adaptive Server Downgrades