SAP ASE does not allow access to data through the recovery key copy. A key recovery copy exists only to provide a backup for accessing the base key.
alter encryption key keyname with passwd base_key_passwd add encryption with passwd recovery_passwd for user key_recovery_user for recovery
base_key_passwd – is the password the key custodian assigned to the base key.
recovery_passwd – is the password used to protect the key recovery copy.
key_recovery_user – user assigned the responsibility for remembering a password for key recovery.
alter encryption key keyname with passwd old_recovery_passwd modify encryption with passwd new_recovery_passwd for recovery
During key recovery, the key recovery user tells the key custodian the password of the key recovery copy. The key custodian restores access to the base key using:
alter encryption key keyname with passwd recovery_key_passwd recover encryption with passwd new_base_key_passwd
recovery_key_passwd – is the password associated with the key recovery copy, shared with the key custodian by the recovery key user. SAP ASE uses the recovery_key_passwd to decrypt the key recovery copy to access the raw key.
new_base_key_passwd – is the password used to encrypt the raw key. SAP ASE updates the base key row in sysencryptkeys with the result.
create encryption key key1 for AES passwd 'loseitl8ter'
alter encryption key key1 with passwd 'loseitl8ter' add encryption with passwd 'temppasswd' for user charlie for recovery
alter encryption key key1 with passwd 'temppasswd' modify encryption with passwd 'finditl8ter' for recovery
alter encryption key key1 with passwd 'finditl8ter' recover encryption with passwd 'newpasswd'
The key custodian now shares access to key1 with other users by sharing the base key’s password, or by dropping and adding key copies where changes in personnel have occurred.