Adaptive Server keeps keys encrypted when not in use. There are actually two keys between the user and the data: the column-encryption key (CEK) and the key-encryption key (KEK). The CEK encrypts data and users must have access to it before they can access the encrypted data, but it cannot be stored on disk in an un-encrypted form. Instead, Adaptive Server uses a KEK to encrypt the CEK when you create or alter an encryption key. The KEK is also used to decrypt the CEK before you can access decrypted data. The KEK is derived internally from the system encryption password, a user-specified password, or a login password, depending on how you specify the key’s encryption with the create and alter encryption key statements. CEKs are stored in encrypted form in sysencryptkeys.
Key management consists of creating, dropping, and modifying encryption keys, distributing passwords, creating key copies, and providing for key recovery in the event of a lost password.
Figure 2-2 describes creating and storing a column encryption key for a create encryption key statement. The KEK is derived from a password and the KEK and the raw CEK are fed into the encryption function to produce an encrypted CEK.
Figure 2-2: Steps to create an encryption key
Figure 2-3 describes how the KEK is used during a DML operation to decrypt the CEK. The raw CEK is then used to encrypt or decrypt data.
Figure 2-3: Accessing a CEK to encrypt or decrypt on DML statement