User-specified passwords on encryption keys ensure that data privacy is protected from the system administrator.
The key custodian can own the keys, but not see the data.
The database owner can own the schema, but not the data.
Key access, granted by the key custodian
Data access, granted by the table owner
|
Role |
Can Create Encryption Key? |
Can Use Key in a Schema Definition? |
Can Decrypt Encrypted Data? |
|---|---|---|---|
|
sso_role |
Yes |
No, requires create table permission |
No. User with role may have knowledge of password, but requires select permission on table (SSO has implicit decrypt permission). |
|
sa_role |
No, requires create encryption key permission |
Yes, but must be granted select permission on the key |
No, requires knowledge of password |
|
keycustodian_role |
Yes |
No, requires create table permission |
No. User with role may have knowledge of password, but requires decrypt and select permission. |
|
database owner or schema owner |
No, requires create encryption key permission |
Yes, but must be granted select permission on the key |
No, requires knowledge of password. |
|
User |
No |
No |
Yes, but must be granted decrypt or select permission and have knowledge of key’s password. |