Key recovery commands

Adaptive Server does not allow access to data through the recovery key copy. A key recovery copy exists only to provide a backup for accessing the base key.

Set up a recovery key copy using:

alter encryption key keyname with passwd base_key_passwd 
add encryption with passwd recovery_passwd 
for user key_recovery_user for recovery

where:

After setting the key recovery copy, the key custodian shares the password with the key recovery user, who can alter the password using:

alter encryption key keyname with passwd old_recovery_passwd 
	modify encryption with passwd new_recovery_passwd for recovery 

During key recovery, the key recovery user tells the key custodian the password of the key recovery copy. The key custodian restores access to the base key using:

alter encryption key keyname with passwd recovery_key_passwd
	recover encryption with passwd new_base_key_passwd

where:

You may also need to change ownership of the key to another key custodian. See “Changing ownership of encryption keys”.

This example shows how to set up the recovery key copy and use it for key recovery after losing a password:

  1. The key custodian creates a new encryption key protected by a password.

    create encryption key key1 for AES 
         passwd 'loseitl8ter'
    
  2. The key custodian adds a encryption key recovery copy for key1 for Charlie.

    alter encryption key key1 with passwd 'loseitl8ter'
         add encryption
         with passwd 'temppasswd'
         for user charlie
         for recovery 
    
  3. Charlie assigns a different password to the recovery copy and saves this password in a locked drawer:

    alter encryption key key1
         with passwd 'temppasswd'
         modify encryption
         with passwd 'finditl8ter'
         for recovery
    
  4. If the key custodian loses the password for base key, he can obtain the password from Charlie and recover the base key from the recovery copy using:

    alter encryption key key1
         with passwd 'finditl8ter'
         recover encryption
         with passwd 'newpasswd'
    

The key custodian now shares access to key1 with other users by sharing the base key’s password, or by dropping and adding key copies where changes in personnel have occurred.