You can use the alter encryption key command to change the current password for an encryption key using the following syntax. You can use this command on individual key copies. For more information about key copies, see “Accountability and application transparency through key copies”:
alter encryption key [database_name.[owner].] key_name [with passwd 'old_password' | system_encr_passwd | login_passwd] modify encryption [with passwd 'new_password' | system_encr_passwd | login_passwd]
Where:
key_name – identifies a column encryption key.
with passwd 'old_password' – specifies the user-defined password previously specified to encrypt the base key or the key copy with a create encryption key or alter encryption key statement. The password can be up to 255 bytes long. If you do not specify with passwd, the default is the system encryption password.
with passwd 'new_password' – specifies the new password Adaptive Server uses to encrypt the column encryption key or key copy. The password can be up to 255 bytes long. If you do not specify with passwd, the default is system_encr_passwd.
system_encr_passwd – the default encryption password Adaptive Server uses. You cannot modify the base key to encrypt it with the system encryption password if one or more key copies already exist. This restriction prevents the key custodian from inadvertently exposing an encryption key to access by an administrator after the key custodian has set up the key for restricted use by individual users. You cannot modify key copies to encrypt using the system encryption password.
login_passwd – the login password of the current session. You cannot modify the base key to use login_password for encryption. A user can modify his own key copy to encrypt with his login_password. See “Application transparency using login passwords on key copies” for alternatives to encrypt key copies with a user’s login password that do not require the key copy assignee to execute the alter encryption key command.
In this example, the key custodian alters the base key because the password was compromised or a user who knew the password left the company.
Key custodian Razi creates an encryption key:
create encryption key key1 with passwd 'MotherOfSecrets'
Razi shares the password on the base key with Joe and Bill, who need to process the encrypted data (no key copies are involved).
Joe leaves the company.
Razi alters the password on the encryption key and then shares it with Bill, and Joe’s replacement. They do not need to reencrypt any data because the underlying key has not changed, just the way the key is protected. The following statement decrypts key1 using the old password and reencrypts it with the new password:
alter encryption key key1 with passwd 'MotherOfSecrets' modify encryption with passwd 'FatherOfSecrets'
