Key management consists of creating, dropping, and modifying encryption keys, distributing passwords, and providing for key recovery in the event of a lost password.
Adaptive Server manages the security of keys by keeping keys encrypted when not in use. There are actually two keys between the user and the data: the column encryption key (CEK) and the key encryption key (KEK). The CEK encrypts data and users must have access to it before they can access the encrypted data, but for security reasons it cannot be stored on disk in an unencrypted form. Instead, Adaptive Server encrypts the CEK with a KEK when you create or alter an encryption key. The KEK is also used to decrypt the CEK before you can access decrypted data. The KEK is derived internally from the system encryption password, a user-specified password, or a login password, depending on how you specify the key’s encryption with the create and alter encryption key statements. CEKs are stored in encrypted form in sysencryptkeys.
Figure 2-1 describes the steps for creating and storing a column encryption key for a create encryption key statement. The KEK is derived from a password and the KEK and the raw CEK are fed into the encryption function to produce an encrypted CEK.
Figure 2-1: Steps to create an encryption key
Figure 2-2 describes how the KEK is used during a DML operation to decrypt the CEK. The raw CEK is then used to encrypt or decrypt data.
Figure 2-2: Accessing a CEK to encrypt or decrypt on DML statement
