Change a Key’s Protection Method

You can use the alter encryption key command to change the protection method for an encryption key.

The syntax is:

alter encryption key [[database.database][owner].] keyname
	[with {passwd {'old_passwd' | system_encr_passwd 
		| login_passwd} | master key}] 
	modify encryption
	[with [{passwd {'old_passwd' | system_encr_passwd | login_passwd} 
		| master key}] [[no] dual_control]]

where:

keyname – identifies a column encryption key.
with passwd 'old_password' – specifies the user-defined password previously specified to encrypt the base key or the key copy with a create encryption key or alter encryption key statement. The password can be up to 255 bytes long. If you do not specify with passwd on the base key, the default is the master key or the system encryption password.
with passwd 'new_password' – specifies the new password SAP ASE uses to encrypt the column encryption key or key copy. The password can be up to 255 bytes long. If you do not specify with passwd and you are encrypting the base key, the default is system_encr_passwd.
system_encr_passwd – is the default encryption password. You cannot modify the base key to be encrypted with the system encryption password if one or more key copies already exist. This restriction prevents the key custodian from inadvertently exposing an encryption key to access by an administrator after the key custodian has set up the key for restricted use by individual users. You cannot modify key copies to encrypt using the system encryption password.
login_passwd – is the login password of the current session. You cannot modify the base key to use login_password for encryption. A user can modify his own key copy to encrypt with his login password.
master key – in the first instance indicates that the current encryption uses the master key. In the second instance, it indicates that the KEK or CEK must be re-encrypted with the master key.

Example 1: In this example, the key custodian alters the base key because the password was compromised or a user who knew the password left the company.

Key custodian “razi” creates an encryption key:

create encryption key key1 
     with passwd 'MotherOfSecrets'

“razi” shares the password on the base key with “joe” and “bill”, who need to process the encrypted data (no key copies are involved).
“joe” leaves the company.
“razi” alters the password on the encryption key and then shares it with “bill”, and “pete”, who replaceses “joe.” The data does not need to be reencrypted because the underlying key has not changed, just the way the key is protected. The following statement decrypts key1 using the old password and reencrypts it with the new password:
```
alter encryption key key1
    with passwd 'MotherOfSecrets'
    modify encryption
    with passwd 'FatherOfSecrets'
```

Example 2: Use the master key to encrypt an existing CEK “k2”:

alter encryption key k2
        with passwd 'goodbye'
        modify encryption
        with master key

Example 3: Re-encrypt an existing CEK “k3” that is currently encrypted by the master key, to use dual control:

alter encryption key k3
        modify encryption
        with master key
        dual_control

Note: You can omit with master key in this example to achieve the same encryption.

Example 4: Re-encrypt an existing CEK “k4” that is currently encrypted by the master key and password “k4_password”, to remove dual control. The CEK and all its key copies are controlled by a single key derived from “k4_new_password”:

alter encryption key k4
        with passwd 'k4_password'
        modify encryption
        with passwd 'k4_new_password'
        no dual_control

Example 5: Encrypt an existing CEK “k5” that is currently encrypted by the master key, for dual control encrypted by the master key and password “k5_password”:

alter encryption key k5
        modify encryption
        with passwd 'k5_password'
        dual_control

Example 6: Encrypt a CEK for dual control by the master key and password “k6_password”:

create encryption key k6
        with passwd 'k6_password'
        dual_control

For user “ned”, encrypt his existing key copy of CEK “k6” that is currently encrypted with dual control by the master key and password “k6_password”, for dual control by the master key and password “k6_ned_password”:

alter encryption key k6
        with passwd 'k6_password'
        add encryption
        with passwd 'k6_ned_password'
        for user ned

Note: User “ned” cannot change the dual control property of his key copy.

Example 7: Encrypt a CEK “k7” currently encrypted by the master and dual master key, to use the system encryption password:

alter encryption key k7
        modify encryption
        with passwd system_encr_passwd
        no dual control