Creating the Database Encryption Key

The database encryption key is a 256-bit symmetric key that is created in the master database and used to encrypt a database.

Before you can create a database encryption key (DEK):
  • Verify that you have a valid SAP ASE encryption feature license (ASE_ENCRYPTION)
  • Set the enable encrypted columns configuration parameter
  • Create a master key and optionally, a dual master key in the master database; these protect the database encryption key. See Using Database-Level Master and Dual Master Keys in the Encrypted Columns Users Guide.
  • Ensure that you have the appropriate privileges:
    • If granular permission is enabled, a system permission called manage database encryption key is required to create the key.
    • If granular permission is disabled, you must have sso_role, keycustodian_role, or create encryption key permission.
Use the create encryption key command in the master database to create a database encryption key. The syntax is:
create encryption key keyname
    [for algorithm]
    for database encryption
        {[master key]
        [key_length 256]
        [init_vector random]
        [[no] dual_control]}
  • keyname – must be unique in the user's table, view, and procedure name space in the master database.
  • for algorithm – specifies the algorithm. Currently, the only supported algorithm is Advanced Encryption Standard (AES).
  • for database encryption – explicitly specifies that you are creating an encryption key to encrypt an entire database, rather than a column.
  • master key – is required for full database encryption. SAP ASE returns an error if the master key does not already exist.
  • key_length 256 – is the size, in bits, of the key you are creating. The only valid length for a database encryption key is 256; SAP ASE returns an error message if you use any other size.
  • init_vector random – is required for full database encryption. If you specify init_vector null, as you can for creating a column encryption key, SAP ASE returns an error.
  • [no] dual control – indicates whether the database encryption key must be encrypted using dual controls. By default, dual control is not configured.
This example creates a database encryption key that is protected by the master key:
sp_configure 'enable encrypted columns', 1
create encryption key master with passwd "testpassword"
set encryption passwd 'testpassword' for key master
create encryption key dbkey for database encryption
Related concepts
Changing a Database Encryption Key
Dropping a Database Encryption Key
Back Up the Database Encryption Key
Related reference
create encryption key
drop encryption key
Related information
create encryption key