You can secure column encryption keys with dual control using the create encryption key command.
If you specify create encryption key with dual_control, but do not specify a user password, the column encryption key is protected by the master key and the dual master key.
If you specify with dual_control and include a user-specific password, the column encryption key is protected by the master key and the user password.
Example 1 – protects CEK “Reallysecret” with both the master and dual master keys and fails, unless both keys exist in the database:
create encryption key Reallysecret with init_vector random dual_control
Example 2 – encrypts CEK “k3” with both the master key and user password “Whybother”:
create encryption key k3 with passwd 'Whybother' dual_control
See “Changing a key’s protection method” to alter existing keys to use dual control.
