Your database key store is created when you enable your database for transparent data encryption using the PROUTIL ENABLEENCRYPTION command. The key store has the following main functions:
Stores the Database Master Key (DMK) externally from the database
Derives the database object virtual keys from the DMK
Protects the DMK and object virtual keys from being copied
Controls access to the key store through built-in user accounts with strong passphrase protection
Denies access to a transparent data encryption-enabled database if the user cannot open the key store by supplying a passphrase for one of the built-in key store user accounts
Configures opening of the key store through automated processes
A key store has two built-in user accounts: the admin account and the user account. Key store administrator privilege is required to create or change any key store value, including all aspects of encryption key generation and storage. User privilege is required to access encryption key values. You must always provide a passphrase for the key store admin account when you create the key store; the user account passphrase is optional. The passphrases for the key store user and admin accounts must be different.
Passphrases must comply with the rules described in the table below.
Table 37. Passphrase constraints
Rule
value
Minimum number of characters
8
Maximum number of characters
2048
Minimum number of numeric characters
1
Minimum number of alpha characters
2
Minimum number of punctuation characters
1
Character set
[a-zA-Z0-9]!@#$%^&*()_+-{}[]|\,./<>?;:<space>
First character
(see Character set)
Mixed case alpha required
True
Case sensitive
True
When your key store is created, it is bound to your database, but it remains a separate entity. PROBKUP does not backup your key store. If you create a copy of your database with PROCOPY, the key store is not copied. The key store is not part of your database structure definition. If you copy an encryption-enabled database, you will not be able open the copy until you copy and rebind the key store to the copied database using the PROUTIL EPOLICY command.
The key store is separate from your database for security reasons, and you must securely back it up when you back up your database. Protecting your key store is vital to maintaining access to your encrypted database. Without your key store, you will be unable to open your database.
Compare your database and key store to your car and car keys. The key store is separate from your database because tying them together would be like leaving your car key in the door lock; your door might be locked, but the probability of someone "breaking in" is greatly increased. Also like your car, you want to have a secure back up of your car keys or key store in case the original is lost.