alter encryption key

Changes the current password, adds and drops a key copy, regenerates an encryption key.

Syntax

Altering the master key:
alter encryption key [dual] master
	with char_string { add encryption 
		{with passwd char_string for user user_name [for recovery]
		| for automatic_startup	}
	| modify encryption { with passwd char_string [for recovery]
		| for automatic_startup }
	| drop encryption
		{ for user user_name | for recovery | for automatic_startup }
	| regenerate key
		[ with passwd char_string] | recovery encryption
		with passwd char_string | modify owner user_name }
Altering the syb_extpasswdkey service key:
alter encryption key syb_extpasswdkey
	[ with { static key | master key}] 
		{ regenerate key [ with { static key | master key }]
		| modify encryption [ with { static key | master key }] }
Altering the column encryption key:
alter encryption key [[database.][owner].] keyname
	{ [ as | not default ]
	[dual] master
		[ with { static key | master key} ]
		regenerate key
		[ with { static key | master key [no] dual_control} ] | [with passwd 
		'password' | system_encr_passwd | login_passwd  |
			 'base_key_password']
	modify encryption
		[ with {passwd {'password' |  system_encr_passwd | 
				login_passwd } | master key }]
		[[no] dual_control] for automatic startup
	add encryption [ with passwd 'password' | 'key_copy_password’] 
		for user user_name
		[for [login_association | recovery | automatic_startup]]
	drop encryption for { user user_name | recovery 
		[ for recovery ] | [ for automatic_startup ]} 
		| [ with passwd 'password ']
	recover encryption with passwd 'password'
			| modify owner user_name }

Parameters

Examples

Usage

  • If the SSO issues alter encryption key to set the key as the database default, the specified key replaces any existing key as the default.

  • If the key custodian issues alter encryption key to set a key as the database default, the specified key and the current default key (if it exists) must be owned by the key custodian.

  • Keys are owned and managed by users with keycustodian_role, the sso_role, or by users who are explicitly granted permission for the create encryption key command. Keys are used by all users who have permissions to process and see the data from encrypted columns. How the SAP ASE server protects keys affects how they are accessed:
    1. The key owner creates the key for encryption by the system encryption password– when users access the encrypted data, the SAP ASE server decrypts the base key using the system encryption password. The key owner does not create individual key copies for users.

    2. The key custodian encrypts the base key with an explicit password – rather than create key copies, the key custodian shares this password with all users who process encrypted data. Users or applications must supply this password with the set encryption passwd command to access data. See set encryption passwrd.

    3. The key custodian adds key copies for end users so that users do not have to share passwords. Users must enter their key copy’s password using set encryption passwd to access encrypted columns. Alternatively, the key custodian can set up key copies for encryption by the key assignee's login password. This password does not have to be entered through set encryption passwd.

  • When you create a key using create encryption key, the SAP ASE server saves the key in encrypted form, along with the key’s properties, as a row in sysencryptkeys. This row represents the base key. The key owner can choose to allow access to encrypted data exclusively through the base key, or use alter encryption key to add key copies for individual users.

  • If you do not include the with passwd parameter with alter encryption, the SAP ASE server uses the system encryption password.

  • You cannot use the system encryption password to alter the base key of a key that has copies, and you cannot encrypt copies of keys with the system encryption password.

  • Users assigned key copies modify only their own key copies.

  • If you specify for login_association, the SAP ASE server temporarily encrypts the key copy with the system encryption password. The key copy is reencrypted by the copy owner’s login password when he or she encrypts or decrypts data with that key.

  • You cannot specify for recovery and login_association for the same key copy.

See also:
  • sp_encryption in Reference Manual: Procedures

  • Encrypted Column Users Guide

Permissions

The permission checks for alter encryption key differ based on your granular permissions settings.

SettingDescription
Enabled

With granular permissions enabled, you must be a user with manage column encryption key privilege to execute alter encryption key as default or not default.

You must be the key owner or have the following privilege depending the key type:
  • column encryption key – manage column encryption key

  • master key – manage master key

  • service key – manage service key

to:
  • Use alter encryption key to add or drop key copies, recover the key, and modify the key owner.

  • Execute alter encryption key to modify the password of the base key.

Note: You must be the user assigned the key copy to modify the key copy password. You implicitly have permission to modify your own key copy’s password.
Disabled

With granular permissions disabled, you must be a user with sso_role, or keycustodian_role to execute alter encryption key as default or not default.

You must be the system security officer or the key owner to:
  • Use alter encryption key to add or drop key copies, recover the key, and modify the key owner.

  • Execute alter encryption key to modify the password of the base key.

Note: You must be the user assigned the key copy to modify the key copy password. You implicitly have permission to modify your own key copy’s password.

Auditing

For information about auditing encrypted columns, see Auditing Encrypted Columns in the Encrypted Columns Users Guide.

Related reference
create encryption key
drop encryption key