The master key is a database-level key created by a user with the sso_role or keycustodian_role, and is used as a KEK for user-created encryption keys. Once created, the master key replaces the system encryption password as the default KEK for user-created keys. Although Adaptive Server supports the system encryption password for compatibility with versions earier than 15.7, Sybase recommends that you use the master key.
You can use the master key with the dual master key to create a composite key that provides dual control and split knowledge for all user-created keys. You can also create a composite key by using the master key with a CEK’s explicit password.
Using a master key simplifies the administration of encrypted data because:
Managing passwords for keys is restricted to setting the password for the master key.
You need not specify passwords on create and alter encryption key statements.
Allows for password distribution and recovery from lost column encryption key passwords.
Access control over encrypted data is enforced through decrypt permission on the column. See “Restricting decrypt permission”.
You need not make any changes to the application.
The syntax for creating a master key is:
create encryption key master [for AES] with passwd char_literal
See the Reference Manual: Commands.
