Encryption Keys (ASE)

Encryption keys are supported for ASE v12.5.3a and higher. PowerDesigner models encryption keys as extended objects with a stereotype of <<EncryptionKey>>.

Adaptive Server authentication and access control mechanisms ensure that only properly identified and authorized users can access data. You can encrypt data at the system, database level or at the column level, to restrict your security measures to only sensitive data, and minimize processing overhead.

Encrypting columns in Adaptive Server is more straightforward than using encryption in the middle tier, or in the client application. You use SQL statements to create the encryption keys and specify columns for encryption. Adaptive Server handles key generation and storage. Encryption and decryption of data occurs automatically and transparently as you write and read the data in encrypted columns. No application changes are required, and there is no need to purchase third-party software.

Creating an Encryption Key

You can create an encryption key in any of the following ways:

  • Select Model > Encryption Keys to access the List of Encryption Keys, and click the Add a Row tool.

  • Right-click the model (or a package) in the Browser, and select New > Encryption Key.

Encryption Key Properties

You can modify an object's properties from its property sheet. To open an encryption key property sheet, double-click its Browser entry in the Encryption Keys folder.

The following extended attributes are available on the Sybase tab:

Name

Description

Owner

Specifies the owner of the encryption key.

Scripting name: Owner

For database encryption

Specifies that the encryption key will encrypt the entire database, rather than individual columns. Selecting this option sets the Key to master key with a length of 256, enables the Initialization vector option and disables the Padding of datatypes option.

Scripting name: ForDatabaseEncryption

Key

Specifies the kind of key. You can choose between:
  • user password - Enables the Password field, in which you must enter an alphanumeric string of up to 255 bytes in length that Adaptive Server uses to generate the KEK.
  • master key - To use the master key (defined on the database).
  • system key - To use the system_encr_passwd database key (defined on the model).

Scripting name: Passwd, PasswordPhrase

Algorithm

Specifies the algorithm used to generate the encryption key. Currently, Advanced Encryption Standard (AES) is the only algorithm supported.

Scripting name: Algorithm

Key length

Specifies the size in bits of the key to be created. Valid key lengths for AES are 128, 192 and 256 bits.

Scripting name: KeyLength

Initialization vector

Controls the use of an initialization vector when encrypting. When an initialization vector is used by the encryption algorithm, the ciphertext of two identical pieces of plaintext will be different, which would prevent the cryptanalyst from detecting patterns of data but would render the data on disk useless for indexing or matching without decryption.

This option is enforced when the For database encryption option is selected.

Scripting name: InitVector

Padding of datatypes

Specifies the use of padding for datatypes whose length is less than one block. Padding can be used instead of an initialization vector to randomize the ciphertext. It is only suitable for columns whose plaintext length is less than half the block length. For the default AES algorithm the block length is 16 bytes.

This option is disabled when the For database encryption option is selected.

Scripting name: Pad

Default encryption key

Allows the System Security Officer to create a default key for use on all encrypted columns which do not have a keyname specified in create table or alter table. This is a database specific default key for use with tables in the same database. The default key is stored in the database sysencryptkeys table, the same as non-default keys.

Scripting name: Default

Dual control

[v16.0 and higher] Specifies that the key must be encrypted using dual controls.

Scripting name: DualControls

Password phrase

[v15.0.2 to 15.7] Specifies a default key for use on all encrypted columns which do not have a keyname specified in create table or alter table. This is a database specific default key for use with tables in the same database. The default key is stored in the database sysencryptkeys table, the same as non-default keys.

Scripting name: PasswordPhrase

The following tabs are also available:
  • Key Copies - [v15.0.2 and higher] ASE allows users to access encrypted columns using their copy of a single key. A key copy is designated for an individual user with a private password known only to the user, ASE does not save the passwords on disk, so that even the SA cannot access the protected data. PowerDesigner models key copies as extended sub-objects with a <<KeyCopy>> stereotype, and the following extensions are available on the Sybase tab of its property sheet:
    • User - identifies the user for whom the key copy is made.
    • Password - specifies the password used to encrypt the key copy.