If you hold a key copy encrypted by a login password on one or more keys, you need not modify the key copies after using sp_password to change your login password. As part of changing the login password, sp_password decrypts your key copies with your old login password and re-encrypts them with the new login password. For more information, see “sp_password”.
If the SSO uses sp_password to change your password without supplying your old password, sp_password drops your key copies. This prevents an administrator from gaining access to a key through a known password. After a mandatory password change of this kind, the key custodian must use alter encryption key to add key copies for login_association for the user whose password is changed. sp_password ignores offline databases and, for these keys, the key custodian follows the steps for recovering a lost key copy password when the database comes back online. See “Loss of login password” for more information.
The key custodian may also need to perform these steps when a user’s password is changed after starting the server using the -p flag. If the System Security Officer, who uses the -p flag, also has access to keys through key copies encrypted with his or her login password, then the key custodian must drop and recreate the SSO’s key copies.
