create encryption key

Description

Creates encryption keys. All the information related to keys and encryption is encapsulated by create encryption key, which allows you to specify the encryption algorithm and key size, the key’s default property, an optional user-specified password to encrypt the key, as well as the use of an initialization vector or padding during the encryption process.

Adaptive Server uses Security Builder Crypto for key generation and encryption.

Syntax

Create the master key:

create encryption key [dual] master
	[for AES] with passwd char_literal

Create the service key:

create encryption key syb_extpasswdkey 
	[ with { static key | master key }]
create encryption key syb_syscommkey
		[ with { static key | master key }] 

Create the column encryption key:

create encryption key [[database.][owner].]keyname
	[as default] 
	[for algorithm_name]
	[with [{{passwd {char_literal | system_encr_passwd} | master key}]
	[key_length num_bits]
	[init_vector {null | random}]
	[pad {null | random}]
	[[no] dual_control]}]

Parameters

keyname

must be unique in the user’s table, view, and procedure name space in the current database. Specify the database name if the key is in another database; specify the owner name if you are creating a key for another user. The default value for owner is the current user, and the default value for database is the current database. Only the system security officer can create keys for other users.

as default

allows the system security officer or the key custodian to create a database default key for encryption. The existence of a database default encryption key enables the table creator to specify encryption without using a keyname on create table, alter table, and select into. Adaptive Server uses the default key from the same database. The default key may be changed. See alter encryption key.

for algorithm_name

specifies the algorithm you are using. Advanced Encryption Standard (AES) is the only algorithm supported. AES supports key sizes of 128 bits, 192 bits, and 256 bits, and a block size of 16 bytes.

for AES

uses the Advanced Encryption Standard (AES) encryption algorithm to encrypt data.

syb_extpasswdkey | syb_syscommkey
  • syb_extpasswdkey – all external passwords in sysattributes are reencrypted with the new key using strong encryption

  • syb_syscommkey – any subsequent execution of sp_hidetext uses the new key with strong encryption. sp_hidetext must be executed on an existing database object for the object to be encrypted with the new key

static key | master key

indicates that you are creating an encryption key using a static or master key.

keylength num_bits

the size, in bits, of the key to be created. For AES, valid key lengths are 128, 192, and 256 bits. The default key length is 128 bits.

password_phrase

is a quoted alphanumeric string of up to 255 bytes in length that Adaptive Server uses to generate the key used to encrypt the column encryption key (the key encryption key).

init_vector random

specifies use of an initialization vector during encryption. When an initialization vector is used by the encryption algorithm, the cipher text of two identical pieces of plain text are different, which prevents a cryptanalyst from detecting patterns of data. Use an initialization vector to increase the security of your data.

An initialization vector has some performance implications. Index creation, and optimized joins and searches, can be performed only on a column for which the encryption key does not specify an initialization vector.

The default is to use an initialization vector, that is, init_vector random. Use of an initialization vector implies using a cipher-block chaining (CBC) mode of encryption; setting init_vector null implies the electronic codebook (ECB) mode.

init_vector null

omits the use of an initialization vector when encrypting. This makes the column suitable for supporting an index.

pad null

is the default, which omits random padding of data. You cannot use padding if the column must support an index.

pad random

data is automatically padded with random bytes before encryption. You can use padding instead of an initialization vector to randomize the cipher text. Padding is suitable only for columns whose plaintext length is less than half the block length. For the AES algorithm, the block length is 16 bytes.

[no] dual_control

indicates whether dual control is used to create the master key.

Examples

Example 1

Specifies a 256-bit key called “safe_key” as the database default key. The system security officer enters:

create encryption key safe_key as default for AES with keylength 256

Example 2

Creates a 128-bit key called “salary_key” for encrypting columns using random padding:

create encryption key salary_key for AES with init_vector null pad random

Example 3

Creates a 192-bit key named “mykey” for encrypting columns using an initialization vector:

create encryption key mykey for AES with keylength 192 init_vector random

Example 4

Ceates a key that is protected by a user-specified password:

create encryption key key1 with passwd 'Worlds1Biggest6Secret'

You must enter user-specified passwords that protect keys before accessing a column encrypted by the key. See set.

Example 5

Specifies a 256-bit key called “safe_key” as the database default key. Because the key does not specify a password, Adaptive Server uses the database-level master key as the key encryption key for safe_key. If there is no master key, Adaptive Server uses the system encryption password:

create encryption key safe_key as default for AES with keylength 256

Example 6

Encrypts CEK k3 with a combination of the master key and “Whybother”:

create encryption key k3 with passwd 'Whybother' dual_control
create encryption key k1 with keylength 192

Usage

Adaptive Server does not save the user-specified password. It saves a string of validating bytes known as the “salt” in sysencryptkeys.eksalt, which allows Adaptive Server to recognize whether a password used on a subsequent encryption or decryption operation is legitimate for a key. You must supply the password to Adaptive Server before you can access any column encrypted by keyname.

Permissions

The system security officer and the key custodian have implicit permission to create encryption keys. The system security officer may grant that permission to other users.

Default keys can be created only by the system security officer and the key custodian.

See also

Commands alter encryption key, drop encryption key, grant, revoke

Documentation For information about auditing, see Chapter 6, “Auditing Encrypted Columns,” in the User Guide for Encrypted Columns.