You can use the alter encryption key command to change the protection method for an encryption key:
alter encryption key [[database.database][owner].] keyname
[with {passwd {'old_passwd' | system_encr_passwd
| login_passwd} | master key}]
modify encryption
[with [{passwd {'old_passwd' | system_encr_passwd | login_passwd} | master key}] [[no] dual_control]]
where:
keyname – identifies a column encryption key.
with passwd 'old_password' – specifies the user-defined password previously specified to encrypt the base key or the key copy with a create encryption key or alter encryption key statement. The password can be up to 255 bytes long. If you do not specify with passwd on the base key, the default is the master key or the system encryption password.
with passwd 'new_password' – specifies the new password Adaptive Server uses to encrypt the column encryption key or key copy. The password can be up to 255 bytes long. If you do not specify with passwd and you are encrypting the base key, the default is system_encr_passwd.
system_encr_passwd – is the default encryption password. You cannot modify the base key to be encrypted with the system encryption password if one or more key copies already exist. This restriction prevents the key custodian from inadvertently exposing an encryption key to access by an administrator after the key custodian has set up the key for restricted use by individual users. You cannot modify key copies to encrypt using the system encryption password.
login_passwd – is the login password of the current session. You cannot modify the base key to use login_password for encryption. A user can modify his own key copy to encrypt with his login password.
See “Application transparency using login passwords on key copies” for alternatives to encrypting key copies with a user’s login password that do not require the key copy assignee to execute alter encryption key.
master key – in the first instance indicates that the current encryption uses the master key. In the second instance, it indicates that the CEK must be re-encrypted with the master key.
Example 1: In this example, the key custodian alters the base key because the password was compromised or a user who knew the password left the company.
Key custodian “razi” creates an encryption key:
create encryption key key1 with passwd 'MotherOfSecrets'
“razi” shares the password on the base key with “joe” and “bill”, who need to process the encrypted data (no key copies are involved).
“joe” leaves the company.
“razi” alters the password on the encryption key and then shares it with “bill”, and “pete”, who replaces is “joe.” The data does not need to be reencrypted because the underlying key has not changed, just the way the key is protected. The following statement decrypts key1 using the old password and reencrypts it with the new password:
alter encryption key key1 with passwd 'MotherOfSecrets' modify encryption with passwd 'FatherOfSecrets'
Example 2: Use the master key to encrypt an existing CEK “k2”:
alter encryption key k2 with passwd 'goodbye' modify encryption with master key
Example 3: Re-encrypt an existing CEK “k3” that is currently encrypted by the master key, to use dual control:
alter encryption key k3 modify encryption with master key dual_control
You can omit with master key in this
example to achieve the same encryption.
Example 4: Re-encrypt an existing CEK “k4” that is currently encrypted by the master key and password “k4_password”, to remove dual control. The CEK and all its key copies are controlled by a single key derived from “k4_new_password”:
alter encryption key k4 with passwd 'k4_password' modify encryption with passwd 'k4_new_password' no dual_control
Example 5: Encrypt an existing CEK “k5” that is currently encrypted by the master key, for dual control encrypted by the master key and password “k5_password”:
alter encryption key k5 modify encryption with passwd 'k5_password' dual_control
Example 6: Encrypt a CEK for dual control by the master key and password “k6_password”:
create encryption key k6 with passwd 'k6_password' dual_control
For user “ned”, encrypt his existing key copy of CEK “k6” that is currently encrypted with dual control by the master key and password “k6_password”, for dual control by the master key and password “k6_ned_password”:
alter encryption key k6 with passwd 'k6_password' add encryption with passwd 'k6_ned_password' for user ned
User “ned” cannot change the dual
control property of his key copy.
Example 7: Encrypt a CEK “k7” currently encrypted by the master and dual master key, to use the system encryption password:
alter encryption key k7 modify encryption with passwd system_encr_passwd no dual control
