Adaptive Server allows users to create database-level encryption keys called the master key and the dual master key. These keys both act as key encryption keys, and are used to protect other keys, such as column encryption keys and service keys. Once created, master keys become the default protection method for column encryption keys. The dual master key is required only for dual control of column encryption keys.
Only users with sso_role or keycustodian_role can create the master key and dual master key. There can only be one master and one dual master key for a database.
The master key and the dual master key must have different owners. You can provide passwords for the master keys using either isql, or through a server-private file that is accessible only by the Adaptive Server. The passwords to these keys are not stored in the database.