The SSO or the key custodian uses sp_encryption to set the system encryption password. The system password is specific to the database in which sp_encryption is executed, and its encrypted value is stored in the sysattributes system table in that database.
sp_encryption system_encr_passwd, ‘password’
The password specified using sp_encryption can be 255 bytes in length, and is used by Adaptive Server to encrypt all keys all keys that do not specify a user-specified password, login password, or login association in that database. Once the system encryption password has been set in a database, Adaptive Server has automatic access to it, not only to encrypt new keys, but also to decrypt keys when a user reads or writes encrypted columns.
The system encryption password must be set in every database where encryption keys are created without the with passwd clause. The system encryption password must be set when key copies are added for login_association, until the key copy assignees have logged in to Adaptive Server and used their key copy.
The SSO or key custodian can change the system password by using:
sp_encryption system_encr_passwd, ‘password’ [ , ‘old_password’]
When the system password is changed, Adaptive Server automatically reencrypts all keys encrypted with the system encryption password in the database with the new password.
