Service keys are 256-bit, persistent encryption keys that are used to strongly encrypt external login passwords and hidden text, and are stored in sysencryptkeys.
Encrypt service keys using either:
A static key – is the default key encryption key for service keys, and can be used if no master key has been created in the current database. With this method, Adaptive Server can use service keys after an unattended startup.
The master key – provides stronger protection than a static key. Adaptive Server requires the password to decrypt the database-specific master key.
The database objects that describe these service keys include:
syb_extpasswdkey – identifies service key for encryption of external login passwords in sysattributes. Only one syb_extpasswdkey exists for any database. When the syb_extpasswdkey is changed, all data encrypted using the key is reencrypted using the new key.
Although external login passwords are generally stored in the master database, RepAgent stores this information in replicate databases.
syb_syscommkey_dddddd – identifies service key for encryption of hidden text in syscomments, where “dddddd” is a global identifier generated by Adaptive Server to uniquely identify the key. The global identifier is included with the name to distinguish names when there are many syb_syscommkey keys associated with the same object. The global identifier distinguishes the key, on both the local database and in the replicate database.
Strong encryption of hidden text requires a service key in each database where sp_hidetext is executed to hide SQL text. When a new service key is created, any existing service key in the database persists until explicitly dropped, and any hidden text is not reencrypted until you reissue sp_hidetext.
The system encryption password does not encrypt service
keys.
