In Adaptive Server 15.0.2 you can protect keys with a password and keep data protected from the power of the administrator. Once data is protected using keys with user defined passwords, to process encrypted columns, users must have:
select, insert, update, or delete permission on the column, depending on the type of access.
Decrypt permission on the encrypted columns used in the target list of a select statement and in query predicates. Users without decrypt permission on the column receive a permissions-related error unless the column is defined with a decrypt_default. See “Returning default values for encrypted columns” for more information.
The password used to encrypt the key if the user password is specified when creating or altering an encryption key. Users who do not supply the correct password receive an error when attempting to select, insert or update encrypted columns or when referencing columns in a where clause. You need not supply a password if the encryption key is protected by the system encryption password or a login password; Adaptive Server can find these passwords internally.
