The system encryption password is a database-specific password. By default, Adaptive Server uses this password to encrypt keys created in a given database. Once the system security officer or key custodian has set a system encryption password, you need not specify this password to process encrypted columns. Adaptive Server internally accesses the system encryption password when it needs to encrypt or decrypt column encryption keys.
The system security officer or key custodian use sp_encryption to set the system encryption password. The system password is specific to the database using sp_encryption, and its encrypted value is stored in the sysattributes system table in that database.
sp_encryption system_encr_passwd, password
password can be as many as 255 bytes in length, and is the default method Adaptive Server uses to encrypt all keys in the selected database.
Using a system encryption password simplifies the administration of encrypted data because:
Managing passwords for keys is restricted to setting up and changing the system encryption password.
You need not specify passwords on create and alter encryption key statements.
Password distribution and recovery from lost passwords are not required.
Access control over encrypted data is enforced through decrypt permission on the column. See “Restricting decrypt permission”.
You need not make any changes to the application.
Set a system encryption password only in the database where encryption keys are created. If you choose to protect your keys with individual user passwords, you may not need to set the system encryption password. You can create encrypted columns in the same database as the keys or in other databases. See “Key protection using user-specified passwords”.
The system encryption password protects your encryption keys. Choose long and complex system encryption passwords. Longer passwords are harder to guess or crack by brute force. Include uppercase and lowercase letters, numbers, and special characters in the system encryption password. Sybase recommends that system encryption password be at least 16 bytes in length. In addition, when creating your password:
Do not use information such as your birthday, street address, or any other word or number that has anything to do with your personal life.
Do not use names of pets or loved ones.
Do not use words that appear in the dictionary or words spelled backwards.
Adaptive Server enforces compliance of the system encryption password with the minimum password length and check password for digit configuration parameters.
The system security officer or key custodian can change the system password by using sp_encryption and supplying the old password:
sp_encryption system_encr_passwd, password [ , old_password]
Periodically change the system encryption password, especially when an administrator with knowledge of the system encryption password leaves the company. When the system password is changed, Adaptive Server automatically reencrypts all keys in the database with the new password. Encrypted data is not affected when the system password is changed, in other words, data is not decrypted and reencrypted.
You can unset the system encryption password by supplying “null” as the argument for password and supplying the value for old_password. Un-set the system password only if you have dropped all the encryption keys in that database that were encrypted by the system encryption password.