Users or master key owners with sso_role or keycustodian_role can create copies for master keys, which you may need to:
Provide access to the master key or dual master key for unattended start-up of the Adaptive Server. Such a key copy is referred to as the automatic_startup copy.
Support recovery of the master keys should their passwords be lost. Such a key copy is referred to as the recovery copy. See Chapter 8, “Recovering Keys from Lost Passwords.”
Allow a user other than the base key owner to set up encryption passwords for the master or dual master key. This key copy is referred to as a regular copy.
To add master key copies in a database, use:
alter encryption key [dual] master
with passwd char_string
add encryption
{with passwd char_string
for user user_name
[ for recovery ] | [ for automatic_startup ] }
where:
char_string – (first reference) specifies the password that currently encrypts the base copy of the master or dual master key.
char_string – (second reference) specifies the password for the regular or recovery copy. It must not be used for automatic_startup copies.
for user – indicates the user to whom the regular or recovery copy must be assigned. Do not use this parameter to enter a password for automatic_startup copies.
for recovery – indicates that the key copy is to be used to recover the master key in case the password is lost.
for automatic_startup – indicates that the key copy is to be used to access the master or dual master key after the server is restarted with automatic master key access enabled.
Example 1 – master key owner creates a key copy for Mary:
alter encryption key master with passwd 'unforgettablethatswhatur' add encryption with passwd 'just4now' for user mary
Example 2 – dual master key owner Smith creates a key copy for automatic_startup with:
alter encryption key dual master with passwd 'Never4Getable' add encryption for automatic_startup
