Creating a Database Encryption Key

Create a database encryption key using a specified encryption method.

Before you can create a database encryption key (DEK):
  • Verify that you have a valid SAP ASE encryption feature license (ASE_ENCRYPTION)
  • Create a key encryption key (KEK). This can be a master key or dual master key; these both protect the database encryption key (DEK). See Using Database-Level Master and Dual Master Keys in the Encrypted Columns Users Guide.
  • Set the sp_configure enable encrypted columns configuration parameter.
  • Ensure that you have the appropriate privileges. With:
    • Granular permissions enabled – you must have permission to execute manage database encryption key to create a database encryption key.
    • Granular permissions disabled – you must have sso_role, keycustodian_role, or execute permission on the create encryption key command.
  1. In the left pane of the Administration Console, expand ASE Servers > Security > Encryption Keys
  2. Click Database Encryption Keys
  3. Select New
  4. In the Introduction screen, select:
    • The server where the encryption key is being defined
    • The key owner
    These fields are cannot be modified if you do not have:
    • Any servers enabled for database encryption
    • A master key for the master database in your selected server
  5. On the Encryption Key Name screen, enter a database encryption key name.
  6. On the Algorithm screen, select with dual master key if there is a dual master key in the master database.
  7. (Optional) Click Summary to verify your settings:
    • Key name
    • Key length – 256.
    • Encrypted by – master key.
    • Initialization vector – random.
    • Encrypted by dual_control(master key + dual master key) – if you selected with dual master key on the Algorithm screen.
Related concepts
Manage Encryption Keys
Dual Control and Split Knowledge