Auditing for encrypted columns includes these changes:
Auditing actions of the key custodian
Additional audit events for alter encryption key
Masking passwords in command text auditing
Use this command to audit all actions in which keycustodian_role is active:
sp_audit "all", "keycustodian_role", "all", "on"
The encryption_key audit option writes these events and information to the audit table for encrypted columns.
Command to be audited |
Event number |
Information in extrainfo output |
|---|---|---|
create encryption key |
107 |
Type of password, user or system |
AEK as/not default |
108 |
Modify encryption key to be the database default key or remove the default property from the key. |
AEK modify encryption |
118 |
modify encryption with user passwd or with login passwd [for user user_name] [with keyvalue [for recovery]] |
AEK add encryption |
119 |
add encryption for user user_name with user passwd [for recovery] or for login association [with keyvalue] |
AEK drop encryption |
120 |
drop encryption [for recovery] [for user] |
AEK modify owner |
121 |
modify owner new owner user_name |
AEK key recovery |
122 |
recover key [with keyvalue] |
Passwords are masked in the audit records produced by command text auditing. For example, if the SSO has enabled command text auditing for user “alan” in database db1:
sp_audit "cmdtext", "alan", "db1", "on"
And “alan” issues this command:
create encryption key key1 with passwd "bigsecret"
Adaptive Server writes the following SQL text to the extrainfo column of the audit table:
"create encryption key key1 with passwd "xxxxxx"
