Creating key copies

The key custodian may need to make a copy of the key temporarily available to an administrator or an operator who must load data into encrypted columns. Because this operator does not otherwise have permission to access encrypted data, he should not have permanent access to a key.

You can make key copies available to individual users as follows:

This syntax shows how to add a key encrypted using an explicit password for a designated user:

alter encryption key [database.[ owner ].]key
		with passwd 'base_key_password'
		add encryption with passwd 'key_copy_password'
		for user_name ''

where:

The following example illustrates how to set up and use key copies with an encrypted column:

  1. Key custodian Razi creates the base encryption key with a user-specified password:

    create encryption key key1 with passwd 'WorldsBiggestSecret'
    
  2. Razi grants select permission on key1 to DBO for schema creation:

    grant select on key key1 to dbo
    
  3. DBO creates schema and grants table and column-level access to Bill:

    create table employee (empname char(50), emp_salary money encrypt with      razi.key1, emp_address varchar(200))
         grant select on employee to bill
         grant decrypt on employee(emp_salary) to bill
    
  4. Key custodian creates a key copy for Bill and gives Bill the password to his key copy. Only the key custodian and Bill know this password.

    alter encryption key key1 with passwd 'WorldsBiggestSecret' 
         add encryption with passwd 'justforBill' 
         for user 'bill'
    
  5. When Bill accesses employee.emp_salary, he first supplies his password:

    set encryption passwd 'justforBill' for key razi.key1
         select empname, emp_salary from dbo.employee
    

When Adaptive Server accesses the key for the user, it looks up that user’s key copy. If no copy exists for a given user, Adaptive Server assumes the user intends to access the base key.