Protect Encryption Keys with Dual Control

You can secure encryption keys with dual control using the create encryption key command.

If you specify create encryption key with dual_control, but do not specify a user password, the encryption key is protected by the master key and the dual master key.

If you specify with dual_control and include a user-specific password, the encryption key is protected by the master key and the user password.

Example 1 – protects CEK “Reallysecret” with both the master and dual master keys and fails, unless both keys exist in the database:
```
create encryption key Reallysecret
     with init_vector random dual_control
```
Example 2 – encrypts CEK “k3” with both the master key and user password “Whybother”:
```
create encryption key k3
     with passwd 'Whybother'
     dual_control
```