You can use the alter encryption key command to change the current password for an encryption key:
alter encryption key [[database.database][owner].] keyname [with passwd 'old_password' | system_encr_passwd | login_passwd] modify encryption [with passwd 'new_password' | system_encr_passwd | login_passwd]
where:
keyname – identifies a column encryption key.
with passwd 'old_password' – specifies the user-defined password previously specified to encrypt the base key or the key copy with a create encryption key or alter encryption key statement. The password can be up to 255 bytes long. If you do not specify with passwd on the base key, the default is the system encryption password.
with passwd 'new_password' – specifies the new password Adaptive Server uses to encrypt the column encryption key or key copy. The password can be up to 255 bytes long. If you do not specify with passwd and you are encrypting the base key, the default is system_encr_passwd.
system_encr_passwd – is the default encryption password. You cannot modify the base key to be encrypted with the system encryption password if one or more key copies already exist. This restriction prevents the key custodian from inadvertently exposing an encryption key to access by an administrator after the key custodian has set up the key for restricted use by individual users. You cannot modify key copies to encrypt using the system encryption password.
login_passwd – is the login password of the current session. You cannot modify the base key to use login_password for encryption. A user can modify his own key copy to encrypt with his login password.
See “Application transparency using login passwords on key copies” for alternatives to encrypting key copies with a user’s login password that do not require the key copy assignee to execute alter encryption key.
In this example, the key custodian alters the base key because the password was compromised or a user who knew the password left the company.
Key custodian Razi creates an encryption key:
create encryption key key1 with passwd 'MotherOfSecrets'
Razi shares the password on the base key with Joe and Bill, who need to process the encrypted data (no key copies are involved).
Joe leaves the company.
Razi alters the password on the encryption key and then shares it with Bill, and Pete, who is Joe’s replacement. The data does not need to be reencrypted because the underlying key has not changed, just the way the key is protected. The following statement decrypts key1 using the old password and reencrypts it with the new password:
alter encryption key key1 with passwd 'MotherOfSecrets' modify encryption with passwd 'FatherOfSecrets'
