The key recovery copy provides a way to recover a raw key if the password on the base key was lost or if the person who knows the password is unavailable. Adaptive Server does not allow access to data through the recovery key copy. A key recovery copy exists only to provide a backup for accessing the base key.
You can set up a recovery key copy with the following:
alter encryption key key_name with passwd base_key_passwd add encryption with passwd recovery_passwd for user key_recovery_user for recovery
Where:
base_key_passwd – password the key custodian assigned to the base key in the create encryption key or alter encryption key command.
recovery_passwd – password used to protect the key recovery copy.
key_recovery_user – user assigned the responsibility for remembering a password for key recovery.
After setting the key recovery copy, the key custodian shares the password with the key recovery user, who can alter the password to one only the key recoverer knows:
alter encryption key key_name with passwd old_recovery_passwd modify encryption with passwd new_recovery_passwd for recovery
The key recovery user keeps the password for the recovery key copy in a safe place until it is required to recover the base key.
During key recovery, the key recovery user tells the key custodian the password of the key recovery copy. The key custodian restores access to the base key through a known password with the following command:
alter encryption key key_name with passwd recovery_key_passwd recover encryption with passwd new_base_key_passwd
Where:
recovery_key_passwd – the password associated with the key recovery copy, shared with the key custodian by the recovery key user. Adaptive Server uses the recovery_key_passwd to decrypt the key recovery copy to access the raw key.
new_base_key_passwd – the password used to encrypt the raw key. Adaptive Server updates the base key row in sysencryptkeys with the result.
After an unforeseen circumstance, it may be necessary to change ownership of the key to another key custodian. For more information, see “Changing ownership of encryption keys”.
The following example shows how to set up the recovery key copy and use it for key recovery after losing a password:
The key custodian originally creates a new encryption key protected by a password.
create encryption key key1 for AES passwd 'loseitl8ter'
The key custodian adds a special encryption key recovery copy for key1 for user “charlie.”
alter encryption key key1 with passwd 'loseitl8ter' add encryption with passwd 'temppasswd' for user charlie for recovery
“charlie” assigns a different password to the recovery copy and saves this password in a locked drawer:
alter encryption key key1 with passwd 'temppasswd' modify encryption with passwd 'finditl8ter' for recovery
If the key custodian loses the password for base key, he can obtain the password from “charlie” and recover the base key from the recovery copy of the key using:
alter encryption key key1 with passwd 'finditl8ter' recover encryption with passwd 'newpasswd'
The key custodian now shares access to key1 with other users by sharing the base key’s password or by dropping and adding key copies where changes in personnel have occurred.
