You can encrypt database columns using keys that are created with user-defined or login passwords.
In each database, you can create a key that encrypts columns. Creating a key on each database minimizes cross-database key integrity problems. Such key problems can happen in distributed systems, particularly when you are dumping and loading, or mounting and unmounting databases.
Using encryption keys with user-defined passwords creates a highly secure system in which even database owners and system administrators cannot access encrypted data. You can also require that the key encryption method itself use a user-defined password.
SAP ASE provides recovery for lost base-key passwords.
When data is encrypted, system security officers, key-custodians, and users with permission to create encryption keys can also create base keys. System security officers can also grant base key creation permission to users who have no other permissions.
The creator of the base key is the "key owner." To control access to encrypted data, only key owners and system security officers can change the base-key password.
Key owners can allow data access to other users by making copies of the base key—called key copies. A key copy is an additional password for the base key that can be changed as soon as it is assigned to a user, or key-copy owner. Only the key-copy owner can change the key-copy password.
You can make key copies for designated users if you are the base-key owner or a system security officer. Key copies of the base key are not new keys themselves; they are additional passwords for the base key. Key-copy assignees should change their user-defined password for as soon as the key copy is assigned to them.
The key copy is encrypted with the login password as soon as the assignee logs in and accesses the key copy.
Key recovery requires you to create a special key copy, called the recovery key, that is designated for the recovery of the base key. If you lose your password, use the recovery key to access the base key.