The system administrator and DBO do not have implicit key management responsibilities. Instead of delegating all encryption responsibility to the SSO, Adaptive Server 15.0.2 adds system role keycustodian_role. The key custodian owns the encryption keys, but should have no explicit or implicit permissions on the data. The DBO grants users access to data through column permissions, and the key custodian allows them access to the key’s password. keycustodian_role is automatically granted to sso_role and can be granted by a user with the sso_role.
The key custodian can:
Create and alter encryption keys.
Assign as the database default key a key he or she owns, as long as he or she also owns the current default key.
Set up key copies for designated users, allowing each user access to the key through a chosen password or a login password.
Share key encryption passwords with other users.
Grant schema owners select access to encryption keys.
Set the system encryption password.
Recover encryption keys.
Drop encryption keys they own.
Change ownership of keys they own.
You can have multiple key custodians, who each own a set of keys. The key custodian grants the schema owner permission to use the keys on create table, alter table, and select into, and may disclose the key password to privileged users or allow users to associate key copies with a personal password or a login password. The key custodian can work with a “key recoverer” to recover keys in the event of a lost password or disaster (see “Key recovery commands”). If the key custodian leaves the company, the SSO can use the alter encryption key command to change key ownership to a new key custodian.
