Protect Data with Encryption Keys

SAP ASE uses two types of encryption keys and keeps keys encrypted when they are not in use.

Types of encryption keys:

Database encryption key (DEK) – the DEK is created in the master database and used to encrypt a database.
Column encryption key (CEK) – users must have access to the CEK before they can access encrypted data, but it must be encrypted before you store it on disk or in memory. SAP ASE encrypts the CEK using a key encryption key (KEK) and stores it in encrypted form in sysencryptkeys. The KEK also decrypts the CEK, allowing you to access decrypted data.

Key management includes creating, dropping, and modifying column encryption keys, distributing passwords, creating key copies, and providing for key recovery in the event of a lost password.

Creating the Database Encryption Key
The database encryption key is a 256-bit symmetric key that is created in the master database and used to encrypt a database.
Creating Column Encryption Keys
A column encryption key must exist before a table owner can mark a column for encryption on a new or existing table.
Key Protection
The key administrator must decide where keys are stored, when they should be renewed, and which owners can use a given key to encrypt data.