Vector 7.0 | ALTER PASSPHRASE

SQL Language Guide > SQL Language Guide > SQL Statements > ALTER PASSPHRASE

Was this helpful?

ALTER PASSPHRASE

Valid in: SQL, ESQL, OpenAPI, ODBC, JDBC, .NET

The ALTER PASSPHRASE statement changes the passphrase for a database and optionally rotates the main key. The main key is used to derive the database encryption key for an encrypted database.

For more details on the different options of the passphrase, see Encryption Key Management in the Security Guide.

Note: This statement requires the AUTOCOMMIT setting to be ON.

Note: After ALTER PASSPHRASE, restoring from previous checkpoints requires the old passphrase. When restoring from a previous checkpoint, roll forward of log records is possible only up to the execution of the ALTER PASSPHRASE statement, but not beyond. After a passphrase change it is therefore recommended to take a new checkpoint to provide for disaster recovery.

This statement has the following format:

ALTER PASSPHRASE 'old_passphrase' TO 'new_passphrase'

[WITH with_item {, with_item}]

with_item = [NO]NEWKEY | [NO]STASH | PBKDF = ( option = value {, option = value} )

old_passphrase

Specifies the old passphrase. If the passphrase is currently stashed, then it is not necessary to specify the old passphrase.

new_passphrase

Specifies the new passphrase.

[NO]NEWKEY

Specifies that the main key is rotated.

Default: NONEWKEY

[NO]STASH

The option STASH specifies that the new passphrase is stashed. When the passphrase is stashed it cannot be disabled and the database cannot be locked. With that, the database does not require unlocking, not even after a database server restart.

Note: Not specifying the STASH option does not stash the new passphrase, even if the old passphrase was stashed. Consequently, the database can be locked and needs unlocking also after a database server restart. Unlocking the database requires the passphrase from the user running the ENABLE PASSPHRASE statement.

Default: NOSTASH

PBKDF =

Specifies options for the Password Based Key Derivation Function (PBKDF). This is a standard algorithm used to derive the protection key from the passphrase. The protection key is used to encrypt and decrypt the main key.

KDF = ‘algorithm’

Specifies the PBKDF algorithm to use.

Currently, only the algorithm ‘PBKDF2’ is supported and this is the default.

The following parameters can be set for PBKDF2:

DIGEST=

Specifies the digest algorithm used with PBKDF2.

Currently, only ‘SHA256’ is supported as digest algorithm and this is the default.

ITERATIONS=

Specifies the number of iterations performed by the PBKDF2 algorithm. The default number of iterations is 2048. The minimum value is 1000, the maximum value is 1000000.

SALT_LENGTH=

Specifies the length of the salt used by the PBKDF2 algorithm. The default salt length is 16. The minimum value is 16, the maximum value is 64.

If the option PBKDF is not specified, or individual parameters are not specified, then their values remain unchanged.

Related Statements

ALTER KEYS

DISABLE PASSPHRASE

ENABLE PASSPHRASE

Last modified date: 12/19/2024