Adaptive Server keeps keys encrypted when they are not in use. Users must have access to the column encryption key (CEK) before they can access encrypted data, but the CEK must be encrypted before you store it on disk or in memory. Adaptive Server encrypts the CEK using a key encryption key (KEK) and stores it in encrypted form in sysencryptkeys. The KEK is also used to decrypt the CEK, allowing you to access decrypted data. See “Key encryption”.
CEK management includes creating, dropping, and modifying column encryption keys, distributing passwords, creating key copies, and providing for key recovery in the event of a lost password.