You can limit the power of the system administrator or DBO to access private data when you specify passwords on keys using create encryption key or alter encryption key. If keys have explicit passwords, before users can decrypt data, they need:
decrypt permission on the column
The encryption key’s password
Users must also know the password to run DML commands that encrypt data.
Use create encryption key to associate a password with a key:
create encryption key [[db.][owner].]keyname [as default] [for algorithm_name] [with {[keylength num_bits] [passwd 'password_phrase'] [init_vector {NULL | random}] [pad {NULL | random}]}]
Where password_phrase is a quoted alphanumeric string of up to 255 bytes in length that Adaptive Server uses to generate thekey encryption key (KEK).
Adaptive Server does not save the user-specified password. It saves a string of validating bytes known as the “salt” in sysencryptkeys.eksalt, which allows Adaptive Server to recognize whether a password used on a subsequent encryption or decryption operation is legitimate for a key. You must supply the password to Adaptive Server before you can access any column encrypted by keyname.
When you create an encryption key, its entry in the sysencryptkeys table is known as the base key. For some users and applications, the base key, encrypted by either the system encryption password or by an explicit password, is sufficient. Any explicit password is shared among users requiring access to the key. Additionally, you can create key copies for different users and applications. Each key copy can be encrypted by an individual password and is stored as a separate row in sysencryptkeys. An encryption key is always represented by one base key and zero or more key copies.
This example shows how to use passwords on keys, and the key custodian’s function in setting up encryption. The password on the key is shared among all users who have a business need to process encrypted data.
Key custodian “razi” creates an encryption key:
create encryption key key1 with passwd 'Worlds1Biggest6Secret'
“razi” distributes the password to all users who need access to encrypted data.
Each user enters the password before processing tables with encrypted columns:
set encryption passwd 'Worlds1Biggest6Secret' for key razi.key1
If the key is compromised because an unauthorized user gained access to the password, “razi” alters the key to change the password.