Periodically change the master and dual master keys. However, each time you change the master and dual master keys, you must also reencrypt all column encryption keys using the new master and dual master keys. To automate this process, Adaptive Server uses the regenerate key option which replaces the master or dual master key values with the new values, and reencrypts all the column encryption keys that are currently encrypted by the master or dual master keys being regenerated:
alter encryption key [dual] master with passwd char_string regenerate key [with passwd char_string]
When regenerate key command is executed, Adaptive Server:
Validates that the supplied password decrypts the base master or dual master key.
Creates a new master or dual master key.
Decrypts all column encryption keys that are encrypted either solely or partially by the master or dual master key. Adaptive Server reencrypts them using the new master or dual master key.
Replaces the base master or dual master key with the new key encrypted by the second password. If the second password is not supplied, Adaptive Server uses the currently configured password to encrypt the new key.
Drops the regular key copies. The master key owner must re-create regular key copies for designated users using alter encryption key.
Drops the key recovery copy. The master key owner must add a new recovery key copy using alter encryption key, and inform the recovery key owners of the new password.
Replaces the automatic_startup copy with a new key copy created by encrypting the new master key with a new randomly generated master key encryption key. Adaptive Server writes the new master key encryption key into the master key start-up file.
