Working with encryption keys

It is best to choose an encryption key value that cannot be easily guessed. The key can be of arbitrary length, but generally the longer the key, the better because a shorter key is easier to guess than a longer one. As well, including a combination of numbers, letters, and special characters decreases the chances of someone guessing the key.

Encryption keys are always case sensitive, and they cannot contain leading or trailing spaces or semicolons.

You must supply this key each time you want to start the database. Lost or forgotten keys result in completely inaccessible databases.

You can choose whether the encryption key is entered at the command prompt (the default) or into a prompt box. Choosing to enter the key in a prompt box provides an extra measure of security because the key is never visible in plain sight. Clients are required to specify the key each time they start the database. In cases where the database administrator starts the database, clients never need to have access to the key. See -ep server option.

Caution

For strongly encrypted databases, be sure to store a copy of the key in a safe location. If you lose the encryption key there is no way to access the data, even with the assistance of technical support. The database must be discarded and you must create a new database.

You can change the encryption key for an encrypted database, or for a database for which table encryption has been enabled, using the CREATE ENCRYPTED FILE statement. As with encrypting the database, you are not overwriting the existing file, you are creating a copy of the file, encrypted with the new key.

To change the encryption key for a database

  1. Change the encryption key for an encrypted database using the CREATE ENCRYPTED FILE statement.

    The following example takes the database file currentkey.db, encrypted with key abc, and creates a copy of it called newkey.db, encrypting it with the key abc123.

    CREATE ENCRYPTED FILE newkey.db
    FROM currentkey.db
    KEY abc123
    OLD KEY abc
    ALGORITHM AES;
  2. Using the same encryption key information, and following the file name convention you used for the database file, encrypt the associated transaction log file(s), dbspace file(s), and mirror log file (if any), using the CREATE ENCRYPTED FILE statement. See CREATE ENCRYPTED FILE statement.