Dropping Service Keys

drop encryption key ensures that there are no remaining references to the encryption key, and then deletes it. You cannot drop a nonexistent syb_extpasswdkey or syb_syscommkey_dddddd. To ensure that you delete all hidden text keys, use sp_encryption to identify all existing keys.

Prerequisites
Users must have a keycustodian_role or sso_role to delete an unused service key.
Task
Note: If your ASE_ENCRYPTION license has expired, encrypted data is no longer available, and you cannot execute the drop encryption key command. Contact SAP Technical Support to obtain a temporary license.
To delete an unused service key for external logins, use:
drop encryption key syb_extpasswdkey
	with password encryption downgrade
When with password encryption downgrade is specified, SAP ASE resets external login passwords with the algorithm used in versions earlier then 15.7. The Replication Agent password, and the CIS and RTMS external login passwords are reset to an invalid value. The administrator must manually reenter the passwords, after the key is dropped, to resume usage of the corresponding services.
To delete an unused single service key for hidden text, use:
drop encryption key syb_syscommkey_dddddd
SAP ASE checks if there are any references to the specified key _dddddd, and drops the key if no references are found.

Because syb_syscommkey_dddddd indicates a single key, you cannot specify syb_syscommkey_dddddd with the with text encryption downgrade parameter.

To delete multiple keys:
drop encryption key syb_syscommkey with text encryption downgrade

  • If you specify with text encryption downgrade, you cannot specify a single service key with syb_syscommkey_dddddd, only with syb_syscommkey.

  • Without the “dddddd” suffix for the syb_syscommkey, SAP ASE reencrypts all the hidden text in syscomments with the algorithm used in versions earlier than 15.7, and drops all syb_syscommkey_dddddd keys.

Parent topic: Service Keys