Protect Encryption Keys with the System-Encryption Password

The system encryption password is a database-specific password, and is the secondary default encryption method for the DEK or CEK.

SAP ASE uses the system encryption password to encrypt keys created in a specified database without an explicit password clause. Once the system security officer or key custodian has set a system encryption password, you need not specify this password to process encrypted columns. SAP ASE internally accesses the system encryption password when it needs to encrypt or decrypt column encryption keys.

The system security officer or key custodian uses sp_encryption to set the system encryption password. The system password is specific to the database using sp_encryption.
sp_encryption system_encr_passwd, password

password can be as many as 255 bytes in length.

Set a system encryption password only in the database where encryption keys are created.

The system encryption password protects your encryption keys. Choose long and complex system encryption passwords. Longer passwords are harder to guess or crack by brute force. Include uppercase and lowercase letters, numbers, and special characters in the system encryption password. SAP recommends that the system encryption password be at least 16 bytes in length.

SAP ASE enforces compliance of the system encryption password with the minimum password length and check password for digit configuration parameters.

Change the system password by using sp_encryption and supplying the old password:
sp_encryption system_encr_passwd, password [ , old_password]

Periodically change the system encryption password, especially when an administrator who knows the system encryption password leaves the company. When the system password is changed, SAP ASE automatically reencrypts all keys in the database with the new password. Encrypted data is unaffected when the system password is changed, in other words, it is not decrypted and reencrypted.

You can u-set the system encryption password by supplying “null” as the argument for password and supplying the value for old_password. Unset the system password only if you have dropped all the encryption keys in that database that were encrypted by the system encryption password.

The encrypted password value is stored in the sysattributes system table in that database. Additionally, the encrypted database feature introduces 43, a new systtributes class that signifies full database encryption. For every storage allocation of the database that undergoes encryption, SAP ASE inserts a row in sysattributes with these values:
Column NameValue
class
43
object
dbid (database ID)
object_info1
Starting logical page ID
object_info2
Ending logical page ID
int_value
Last encrypted logical page ID on one storage allocation
This row is removed when SAP ASE finishes encrypting the database.