Creating the Database Encryption Key

The database encryption key is a 256-bit symmetric key that is created in the master database and used to encrypt a database.

Prerequisites

Before you can create a database encryption key (DEK):

Verify that you have a valid SAP ASE encryption feature license (ASE_ENCRYPTION)
Set the enable encrypted columns configuration parameter
Create a master key and optionally, a dual master key in the master database; these protect the database encryption key. See Using Database-Level Master and Dual Master Keys in the Encrypted Columns Users Guide.
Ensure that you have the appropriate privileges:
- If granular permission is enabled, a system permission called manage database encryption key is required to create the key.
- If granular permission is disabled, you must have sso_role, keycustodian_role, or create encryption key permission.

Task

Use the create encryption key command in the master database to create a database encryption key. The syntax is:

create encryption key keyname
    [for algorithm]
    for database encryption
    [with
        {[master key]
        [key_length 256]
        [init_vector random]
        [[no] dual_control]}

where:

keyname – must be unique in the user's table, view, and procedure name space in the master database.
for algorithm – specifies the algorithm. Currently, the only supported algorithm is Advanced Encryption Standard (AES).
for database encryption – explicitly specifies that you are creating an encryption key to encrypt an entire database, rather than a column.
master key – is required for full database encryption. SAP ASE returns an error if the master key does not already exist.
key_length 256 – is the size, in bits, of the key you are creating. The only valid length for a database encryption key is 256; SAP ASE returns an error message if you use any other size.
init_vector random – is required for full database encryption. If you specify init_vector null, as you can for creating a column encryption key, SAP ASE returns an error.
[no] dual control – indicates whether the database encryption key must be encrypted using dual controls. By default, dual control is not configured.

This example creates a database encryption key that is protected by the master key:

sp_configure 'enable encrypted columns', 1
create encryption key master with passwd "testpassword"
set encryption passwd 'testpassword' for key master
create encryption key dbkey for database encryption

Changing a Database Encryption Key
To change the manner a database encryption key is protected, as well as who its owner is, use the alter encryption key command.
Dropping a Database Encryption Key
To drop the database encryption key, use the drop encryption key command.

Parent topic: Full Database Encryption

Related concepts

Changing a Database Encryption Key

Dropping a Database Encryption Key

Back Up the Database Encryption Key

Related reference

create encryption key

drop encryption key

Related information

create encryption key