Encryption Key Management
Tables are encrypted on disk by randomly chosen table keys. These keys are encrypted by a single, randomly chosen database key. The database key is secured by the passphrase.
The ALTER PASSPHRASE statement lets you change the passphrase, which automatically changes the database key but leaves the table keys untouched.
The ALTER KEYS statement lets you change the table keys without changing the passphrase and database key. For each table in a database, the system randomly chooses a key for encryption/decryption operations. The key is encrypted with the database key.
Note: The ALTER PASSPHRASE operation requires auto commit to be ON; otherwise, an error will occur.
Note: After the database key and passphrase are updated, the existing checkpoints are no longer valid, and a new checkpoint should be taken to ensure disaster recovery operations.
The following illustrates how key management works:
Last modified date: 03/21/2024