alter encryption key

Description

Changes the current password, adds and drops a key copy, regenerates an encryption key.

For more information about encrypted columns, see the Encrypted Column Users Guide.

Syntax

Altering the master key:

alter encryption key [dual] master
	with char_string { add encryption 
		{with passwd char_string for user user_name [for recovery]
		| for automatic_startup	}
	| modify encryption { with passwd char_string [for recovery]
		| for automatic_startup }
	| drop encryption
		{ for user user_name | for recovery | for automatic_startup }
	| regenerate key
		[ with passwd char_string] | recovery encryption
		with passwd char_string | modify owner user_name }

Altering the syb_extpasswdkey service key:

alter encryption key syb_extpasswdkey
	[ with { static key | master key}] 
		{ regenerate key [ with { static key | master key }]
		| modify encryption [ with { static key | master key }] }

Altering the column encryption key:

alter encryption key [[database.][owner].] keyname
	{ [ as | not default ]
	[dual] master
		[ with { static key | master key} ]
		regenerate key
		[ with { static key | master key [no] dual_control} ] | [with passwd 
		'password' | system_encr_passwd | login_passwd  |
			 'base_key_password']
	modify encryption
		[ with {passwd {'password' |  system_encr_passwd | 
				login_passwd } | master key }]
		[[no] dual_control] for automatic startup
	add encryption [ with passwd 'password' | 'key_copy_password’] 
		for user user_name
		[for [login_association | recovery | automatic_startup]]
	drop encryption for { user user_name | recovery 
		[ for recovery ] | [ for automatic_startup ]} 
		| [ with passwd 'password ']
	recover encryption with passwd 'password'
			| modify owner user_name }

Parameters

keyname

is the name for a column encryption key.

as [not] default

indicates that the database default property should be assigned to, or unassigned from, this key.

[dual] master

database level keys used to encrypt other keys within the database in which they are defined. These keys are not used to encrypt data.

static key | master key

The first instance of the with {static key | master key} clause is merely an assertion of how the syb_extpasswdkey is currently encrypted. Because Adaptive Server knows how syb_extpasswdkey is currently encrypted, this clause is optional.

The second instance of with {static key | master key} clause following the regenerate key action allows the administrator to change the encryption on the regenerated key from static to dynamic, or vice versa. If the clause is omitted, the regenerated key is encrypted as it was prior to this command being issued.

The third instance of with {static key | master key} clause following the modify encryption action changes the protection on the existing key to use the static key or the master key as specified. If the clause is omitted, the static key is used by default.

[no] dual_control

indicates whether dual control is used to create the master key.

regenerate key

indicates you are regenerating the key

with passwd ['password' | system_encr_passwd | login_password 'base_key_password']

specifies the current password Adaptive Server uses to decrypt the column encryption key, and a new password for one of the following purposes:

  • Modify the encryption of a key or a key copy.

  • Encrypt a newly-added key copy. The key owner can add key copies for individual users that are accessible through a private password or a login password.

  • Recover the encryption key after losing a password.

Adaptive Server supports the following passwords for keys:

  • password – a character string up to 255 bytes long.

  • login_passwd – tells Adaptive Server to use the session’s login password.

  • system_encr_passwd – system encryption password for the current database.

  • 'base_key_password' – the password used to encrypt the base key, and may be known only by the key custodian. The password can be upto 255 bytes in length. Adaptive Server uses the first password to decrypt the base column-encryption key.

If you do not specify with passwd, the default is system_encr_passwd.

modify encryption

indicates you are modifying the encryption key or key copy.

for automatic startup

indicates that the key copy is to be used to access the master or dual master key after the server is restarted with automatic master key access enabled.

add encryption

adds an encrypted key copy for a designated user.

key_copy_password – the password used to encrypt the key copy. The password cannot be longer than 255 bytes. Adaptive Server makes a copy of the decrypted base key, encrypts it with a key encryption key derived from the key_copy_password, and saves the encrypted base key copy as a new row in sysencryptkeys.

for user user_name

specifies the user for whom you are adding or dropping a key copy.

for login_association

indicates that the key copy being added will later be encrypted by the assigned user’s login password during his or her first access to this key.

for recovery

indicates that the key copy is to be used to recover the master key in case the password is lost.

drop encryption

indicates that you are dropping the key copy for the specified user.

recover encryption

makes the base key accessible through a new password. Does not apply to key copies.

modify owner

changes the key’s owner to the specified user.

Examples

Example 1

Changes my_key to the default encryption key:

alter encryption key my_key as default

You must have the sso_role or keycustodian_role to change the default property of a key. If the command above is executed by:

To remove the default property from my_key, the SSO or the key custodian, as owner of the key, executes:

alter encryption key my_key as not default

If my_key is not the default key, this command returns an error.

Example 2

Changes the password on the important_key encryption key:

alter encryption key important_key 
     with passwd 'oldpassword'
     modify encryption 
     with passwd 'newpassword'

If this command is executed by:

Example 3

Changes the password on a key copy to the current session’s login password (can be executed only by a user who has been assigned a key copy):

alter encryption key important_key
     modify encryption
     with passwd login_passwd

You can encrypt only key copies with a login password. Adaptive Server returns an error if you attempt to encrypt the base key with a login password.

Example 4

Changes the password for the important_key encryption key to the system password:

alter encryption key important_key
     with passwd 'ReallyBigSecret'
     modify encryption with passwd system_encr_passwd

This command can be executed only by the key owner or a user with sso_role, and is allowed only if a key has no key copies. (Base keys with copies must be encrypted by a user-specified password.) This example modifies the encryption of the base key.

Example 5

Changes the password for the important_key encryption key from the system encryption password to a new password. Because the system encryption password is the default password, it need not be specified in the statement:

alter encryption key important_key
     modify encryption
     with passwd 'ReallyNewPassword'

Example 6

Adds encryption for user “ted” for the important_key encryption key with the password “just4now”:

alter encryption key important_key
     with passwd 'TopSecret' 
     add encryption with passwd 'just4now'
     for user 'ted'

You must be a key owner or a user with the sso_role to execute this command. Adaptive Server uses “TopSecret” to decrypt the base key, making a copy of the raw key and encrypting it for Ted using the password “just4now.”

Example 7

Modifies the encryption for Ted to use a new password. Only Ted can execute this command:

alter encryption key important_key
     with passwd 'just4now'
     modify encryption
     with passwd 'TedsOwnPassword'

Example 8

Drops encryption for user “ted” for the important_key encryption key (you must have the sso_role or be the key owner to execute this command):

alter encryption key important_key
     drop encryption for user 'ted'

Example 9

Modifies the owner of important_key to new owner, “tinnap” (you must have the sso_role or be the key owner to execute this command):

alter encryption key important_key modify owner tinnap

Example 10

Uses the master key to encrypt an existing CEK “k2”:

alter encryption key k2
        with passwd 'goodbye'
        modify encryption
        with master key

Example 11

Re-encrypt an existing CEK “k3” that is currently encrypted by the master key, to use dual control:

alter encryption key k3
        modify encryption
        with master key
        dual_control

Example 12

Example 13

Sets up the recovery key copy and uses it for key recovery after losing a password.

  1. The key custodian originally creates a new encryption key protected by a password:

    create encryption key key1 for AES passwd 'loseitl8ter'
    
  2. The key custodian adds a special encryption key recovery copy for key1 for Charlie:

    alter encryption key key1 with passwd 'loseitl8ter'
         add encryption
         with passwd 'temppasswd'
         for user charlie
         for recovery 
    
  3. Charlie assigns a different password to the recovery copy and saves this password in a locked drawer:

    alter encryption key key1
         with passwd 'temppasswd'
         modify encryption
         with passwd 'finditl8ter'
         for recovery
    
  4. If the key custodian loses the password for base key, he can obtain the password from Charlie and recover the base key from the recovery copy of the key using:

    alter encryption key key1
         with passwd 'finditl8ter'
         recover encryption
         with passwd 'newpasswd'
    

Usage

Permissions

You must be the system security officer or a user with the keycustodian_role to execute alter encryption key as default or not default. This permission cannot be granted to other users.

You must be the system security officer or the key owner to:

Auditing

For information about auditing encrypted columns, see Chapter 6, “Auditing Encrypted Columns,” in the Encrypted Columns Users Guide.

See also

create encryption key, drop encryption key, and sp_encryption.