When a key custodian initially creates a key using create encryption key, the object that is created is defined as the “base key.” The key custodian makes copies of the base key using the alter encryption key ... add encryption syntax. Users access a key through a key copy, if one was assigned to them, or through the base key. The base key is identical to its copies after decryption, only differing in the KEK used to encrypt and decrypt the key.
Access to the raw key is necessary:
To create the key or alter it.
To encrypt or decrypt data in an encrypted column.
The rules Adaptive Server follows for finding the correct key or key copy are:
If you are the key owner – Adaptive Server accesses the base key. Typically, a key custodian has no authority or responsibility to process encrypted data so accessing the key on behalf of the key owner is confined to DDL operations on the key according to this algorithm:
Creating an encryption key – only the base key is affected
Altering an encryption key to add a key copy – Adaptive Server accesses the key by decrypting the base key. Adaptive Server copies, encrypts, and saves the key as a key copy.
Altering an encryption key to modify the password – Adaptive Server decrypts then re-encrypts the base key.
Altering an encryption key to drop a key copy – Adaptive Server does not require access through the base key, so it is not affected.
Dropping the encryption key – Adaptive Server does not require the raw key to drop the key and all its copies.
If you are not the key owner – Adaptive Server finds a key copy assigned to you, and:
Your actions are restricted to modifying the password on your key copy. If you are not assigned a key copy, the alter encryption key statement fails unless you have the sso_role. For non-key owners who have sso_role, Adaptive Server verifies that the old password you have supplied is valid for the base key, and applies the new password to the base key.
If your access to the key is for data manipulation language (DML) command, or a select statement that affects an encrypted column, Adaptive Server looks for a key copy assigned to you. If no such key copy exists, the server assumes the password you supplied is for the base key and Adaptive Server attempts to decrypt the base key with this password. If the key decryption is unsuccessful, you are denied access to the key and the data.
Key copy access through a guest user is not allowed. For example, if a user is not a valid user in a database and the guest user has a key copy, this user is not allowed access to encrypted data through the guest user’s key copy.
