create encryption key

The database encryption key is a 256-bit symmetric key that is created in the master database and used to encrypt a database.

Syntax

create encryption key keyname
    [for algorithm]
    for database encryption
    [with
        {[master key]
        [key_length 256]
        [init_vector random]
        [[no] dual_control]}

Parameters

• keyname – Must be unique in the user's table, view, and procedure namespace in the current database. Specify the database name if the key is in another database, and specify the owner's name if more than one key of that name exists in the database. The default value for owner is the current user, and the default value is the current database. Only the system security officer can create keys for other users.
• algorithm – Specifies the algorithm. The only algorithm supported is Advanced Encryption Standard (AES). AES supports key sizes of 128, 192, and 256 bits, and a block size of 16 bytes. The block size is the number of bytes in an encryption unit. Large data is subdivided for encryption.
• for database encryption – Indicates that you are creating an encryption key to encrypt an entire database, rather than a column.
• master key – Creates a master key in the master database, and indicates to SAP ASE to protect the database encryption key using that key. By default, SAP ASE uses this master key (if it exists) to protect database encryption keys.
• key_length 256 – Is the size, in bits, of the key you are creating. The only valid length for a database encryption key is 256; you see an error message if you use any other size.
• init_vector random – Specifies the use of an initialization vector during encryption. When the encryption algorithm uses an initialization vector, the cipher text of two identical pieces of plain text are different, which prevents detection of data patterns. Using an initialization vector can add to the security of your data. Database encryption enforces stronger security than column encryption; if you specify init_vector null as you can for creating a column encryption key, SAP ASE returns an error.
• [no] dual control – Indicates whether the new key must be encrypted using dual controls. By default, dual control is not configured. Both the master key and dual master key must exist in the master database to use dual control.

Examples

• Example 1 – Creates a master key to protect "testkey":

  create encryption key testkey for database encryption
      with master key

• Example 2 – Creates a dual master key to protect "testkey":

  create encryption key testkey for database encryption
      with dual_control

• Example 3 – Creates both a master key and dual master key to protect "testkey":

  create encryption key testkey for database encryption
      with master key dual_control

• Example 4 – Creates a master key to protect "testkey", while explicitly excluding the dual master key:

  create encryption key testkey for database encryption
      with master key no dual_control

• Example 5 – Creates a master key to protect "testkey" while explicitly excluding a dual master key:

  create encryption key testkey for database encryption
      with no dual control

• Example 6 –

  sp_configure 'enable encrypted columns', 1
  create encryption key master with passwd "testpassword"
  set encryption passwd 'testpassword' for key master
  create encryption key dbkey for database encryption

Usage

Standards

ANSI SQL – Compliance level: Transact-SQL extension.

Permissions