create encryption key

Creates encryption keys. All the information related to keys and encryption is encapsulated by create encryption key, which allows you to specify the encryption algorithm and key size, the key’s default property, an optional user-specified password to encrypt the key, as well as the use of an initialization vector or padding during the encryption process.

The SAP ASE server uses Security Builder Crypto for key generation and encryption.


Create the master key:
create encryption key [dual] master
	[for AES] with passwd char_literal
Create the service key:
create encryption key syb_extpasswdkey 
	[ with { static key | master key }]
create encryption key syb_syscommkey
		[ with { static key | master key }] 
Create the column encryption key:
create encryption key [[database.][owner].]keyname
	[as default] 
	[for algorithm_name]
	[with [{{passwd {char_literal | system_encr_passwd} | master key}]
	[key_length num_bits]
	[init_vector {null | random}]
	[pad {null | random}]
	[[no] dual_control]}]
Create an encryption key for fully encrypted databases:
create encryption key keyname
    [for algorithm]
    for database encryption
        {[master key]
        [key_length 256]
        [init_vector random]
        [[no] dual_control]}




The SAP ASE server does not save the user-specified password. It saves a string of validating bytes known as the “salt” in sysencryptkeys.eksalt, which allows the SAP ASE server to recognize whether a password used on a subsequent encryption or decryption operation is legitimate for a key. You must supply the password to the SAP ASE server before you can access any column encrypted by keyname.

For fully encrypted databases:
  • The database encryption key does not support the pad option in create encryption key command.
  • The database encryption key cannot be the default key for column encryption.
  • Successfully created database encryption keys are stored in the sysencryptkeys table of the master database and are indicated by this key type:
    #define EK_DBENCKEY       0x1000

For information about auditing, see Auditing Encrypted Columns in the Encrypted Columns Users Guide.


ANSI SQL – Compliance level: Transact-SQL extension.


The permission checks for create encryption key differ based on your granular permissions settings.

With granular permissions enabled, you must have the following privilege or privileges based on the encryption key type:
  • column encryption key – create encryption key or manage column encryption key

  • master key – manage master key

  • service key – manage service key

  • database encryption key – manage database encryption key

You must have the manage any encryption key privilege to create an encryption key for another user.


With granular permissions disabled, you must be a user with sso_role, keycustodian_role, or have create encryption key privilege to create an encryption key. You must have sso_role to create an encryption key for another user.

Related reference
alter encryption key
drop encryption key