Users who own master key copies can change the passwords for their key copies using:
alter encryption key [dual] master
with passwd char_string
modify encryption
{with passwd char_string [for recovery]
| for automatic_startup}
where:
char_string – (first instance) If the user is the key owner, this is the password that currently encrypts the base copy of the master or dual master key. If the user is not the key owner, this is the password that currently encrypts the user’s copy of the key.
char_string – (second reference) specifies the new password for the regular or recovery copy. Do not use this parameter to enter a password for automatic_startup copies.
for automatic_startup – generate a new KEK and use it to create a new automatic_startup key copy.
If neither for recovery nor for automatic startup is specified, and the command is issued by the key owner, Adaptive Server alters the password of the base key copy. If the command is not issued by the key owner, Adaptive Server alters the password of the base key copy only if the current user has sso_role or keycustodian_role.
Example 1 – master key owner “Jones” creates a key copy for “Mary” using:
alter encryption key master with passwd 'unforgettablethatswhatyouare' add encryption with passwd 'just4now' for user Mary
Example 2 – “Mary” changes the password for her copy using:
alter encryption key master with passwd 'just4now' modify encryption with passwd 'maryspasswd'
Example 3 – master key owner “John” changes the password for the base key using:
alter encryption key master with passwd 'unforgettablethatswhatyouare' modify encryption with passwd 'notunforgettable'
Users with sso_role or keycustodian_role can modify the automatic_startup key copies to change their key encryption keys. For example, such a user with knowledge of the master key password, can change the key encryption key of the automatic_startup key copy using:
alter encryption key master with passwd 'unforgettablethatswhatyouare' modify encryption for automatic_startup
The Adaptive Server:
Decrypts the base master key with a key encryption key derived from the password.
Creates a new master key encryption key and replaces the old key in the master key start-up file with this new key.
Creates a new automatic_startup key copy by encrypting the master key using the new master key encryption key, and replacing the old automatic_startup key copy in sysencryptkeys with this new copy.
