Creating the Master and Dual Master Keys

Once created, master keys become the default protection method for encryption keys. A dual master key is required only for dual control of column and database encryption keys.

Prerequisites

Only users with sso_role or keycustodian_role can create the master key and dual master key. There can only be one master and one dual master key for a database.

Task

To create the master and dual master keys use:

create encryption key [dual] master
	[for AES] with passwd char_literal
where:

  • master and dual master refer to database-level keys used to encrypt other keys within the database in which they are defined. These keys are not used to encrypt data. The master key is named internally as sybencrmasterkey in sysobjects, and the dual master key is named internally as sybencrdualmasterkey in sysobjects.

  • with passwd must be followed by a character string password that adheres to sp_passwordpolicy.

See the Reference Manual: Commands.

  • Example 1 – creates master key in database tdb1:
    use database tdb1
create encryption key master with passwd
'unforgetablethatswhatyouare'
  • Example 2 – creates a dual master key in database tdb1:
    use database tb1
create encryption key dual master with passwd 'dualunforgettable'
  • Example 3 – generates an error because you cannot use a master key as a column encryption key:
    create table t2 (c1 int encrypt with master)
To change the password of a master key or dual master key, use:
alter encryption key [dual] master
	with passwd <char_literal>
	modify encryption
	with passwd <char_literal>
Parent topic: Database-Level Master and Dual Master Keys