The key custodian can set up key copies for encryption using a user’s login password, and thereby providing ease of use, better security, lower overhead, and application transparency.
Ease of use – users whose login password is associated with a key can access encrypted data without supplying a password.
Better security – users have fewer passwords to track, and are less likely to write them down.
Lower administrative overhead for key custodian – the key custodian need not manually distribute temporary passwords to each user who requires key access through a private password.
Application transparency – applications need not prompt for a password to process encrypted data. Existing applications can take advantage of the measures to protect data privacy from the power of the administrator.
alter encryption key [[database.][owner].]keyname with passwd 'base_key_password' add encryption for user 'user_name' for login_association
where login_association tells SAP ASE to create a key copy for the named user, which it later encrypts with the user's login password. Encrypting a key copy with a login password requires:
Using alter encryption key, the key custodian creates a key copy for each user who requires key access via a login password. SAP ASE attaches information to the key copy to securely associate the key copy with a given user. The identifying information and key are temporarily encrypted using a key derived from the master key or—if no master key exists—the system encryption password. The key copy is saved in sysencryptkeys.
When a user processes data requiring a key lookup, SAP ASE notes that a copy of the encryption key identified for this user is ready for login password association. Using the master key or the system encryption password to decrypt the information in the key copy, SAP ASE validates the user information associated with the key copy against the user’s login credentials, and encrypts the key copy with a KEK derived from the user’s login password, which has been supplied to the session.
When adding a key copy with alter encryption key key for login_association, the master key or the system encryption password must be available for encryption of the key copy. The system encryption password must still be available for SAP ASE to decrypt the key copy when the user logs in. After SAP ASE has reencrypted the key copy with the user’s login password, the system encryption password is no longer required.
create encryption key key1 for AES with passwd 'MotherofSecrets'
alter encryption key key1 with passwd 'MotherofSecrets' add encryption for user 'bill' for login_association
SAP ASE uses the master key or the system encryption password to encrypt a combination of the key and information identifying the key copy for “bill”, and stores the result in sysencryptkeys.
select * from emp
SAP ASE recognizes that it must encrypt “bill”’s copy of key1 with his login password. SAP ASE uses the master key or the system encryption password to decrypt the key value data saved in step 4. It validates the information against the current login credentials, then encrypts key1's key value with a KEK generated from “bill”’s login password.
During future logins when “bill” processes columns encrypted by key1, SAP ASE accesses key1 directly by decrypting it with “bill”’s login password, which is available to SAP ASE through “bill”’s internal session context.
Users who are aliased to “bill” cannot access the data encrypted by key1 because their own login passwords cannot decrypt key1.
alter encryption key key1 drop encryption for user 'bill'
The key custodian must communicate the key copy’s first assigned password to the user.
The user must issue alter encryption key to reencrypt the key copy with a login password.
alter encryption key key1 with passwd 'MotherofSecrets' add encryption with passwd 'just4bill' for user bill
“razi” shares the key copy's password with “bill”.
alter encryption key key1 with passwd "just4bill" modify encryption with passwd login_passwd
Now, when “bill” processes encrypted columns, SAP ASE accesses “bill”’s key copy through his login password.