Key Protection Using User-Specified Passwords

Use create encryption key to associate a password with a key.

The syntax is:

create encryption key [[db.][owner].]keyname  [as default]
	[for algorithm_name] 
	[with {[keylength num_bits]
	[passwd 'password_phrase'] 
	[init_vector {NULL | random}]
	[pad {NULL | random}]}]

where password_phrase is a quoted alphanumeric string of up to 255 bytes in length that SAP ASE uses to generate thekey encryption key (KEK).

SAP ASE does not save the user-specified password. It saves a string of validating bytes known as the “salt” in sysencryptkeys.eksalt, which allows SAP ASE to recognize whether a password used on a subsequent encryption or decryption operation is legitimate for a key. You must supply the password to SAP ASE before you can access any column encrypted by keyname.

When you create an encryption key, its entry in the sysencryptkeys table is known as the base key. For some users and applications, the base key, encrypted by either the master key, the system encryption password, or an explicit password, is sufficient. Any explicit password is shared among users requiring access to the key. Additionally, you can create key copies for different users and applications. Each key copy can be encrypted by an individual password and is stored as a separate row in sysencryptkeys. An encryption key is always represented by one base key and zero or more key copies.

This example shows how to use passwords on keys, and the key custodian’s function in setting up encryption. The password on the key is shared among all users who have a business need to process encrypted data.

Key custodian “razi” creates an encryption key:

create encryption key key1 
     with passwd 'Worlds1Biggest6Secret'

“razi” distributes the password to all users who need access to encrypted data.
Each user enters the password before processing tables with encrypted columns:
```
set encryption passwd 'Worlds1Biggest6Secret' 
     for key razi.key1
```
If the key is compromised because an unauthorized user gained access to the password, “razi” alters the key to change the password.

Change a Key’s Protection Method
You can use the alter encryption key command to change the protection method for an encryption key.
Create Key Copies
The key custodian may need to make a copy of the key temporarily available to an administrator or an operator who must load data into encrypted columns or databases. Because this operator does not otherwise have permission to access encrypted data, he or she should not have permanent access to a key.
Change Passwords on Key Copies
Once a user has been assigned a key copy, he or she can use alter encryption key to modify the key copy’s password.
Access Encrypted Data with a User Password
You must supply the encryption key’s password to encrypt or decrypt data on an insert, update, delete, select, alter table, or select into statement.
Application Transparency Using Login Passwords on Key Copies
The key custodian can set up key copies for encryption using a user’s login password, and thereby providing ease of use, better security, lower overhead, and application transparency.
Login Password Change and Key Copies
If you hold a key copy encrypted by a login password on one or more keys, you need not modify the key copies after you change your login password. alter login decrypts your key copies with your old login password and reencrypts them using the new login password.
Dropping a Key Copy
When a user changes jobs or leaves the company, the key custodian should drop the user’s key copy.

Related information

Protect Keys with User-Specified Passwords