Your database key store is created when you enable your database for transparent data encryption using the PROUTIL ENABLEENCRYPTION command. The key store has the following main functions:

A key store has two built-in user accounts: the admin account and the user account. Key store administrator privilege is required to create or change any key store value, including all aspects of encryption key generation and storage. User privilege is required to access encryption key values. You must always provide a passphrase for the key store admin account when you create the key store; the user account passphrase is optional. The passphrases for the key store user and admin accounts must be different.

Passphrases must comply with the rules described in the table below.

When your key store is created, it is bound to your database, but it remains a separate entity. PROBKUP does not backup your key store. If you create a copy of your database with PROCOPY, the key store is not copied. The key store is not part of your database structure definition. If you copy an encryption-enabled database, you will not be able open the copy until you copy and rebind the key store to the copied database using the PROUTIL EPOLICY command.

The key store is separate from your database for security reasons, and you must securely back it up when you back up your database. Protecting your key store is vital to maintaining access to your encrypted database. Without your key store, you will be unable to open your database.

Compare your database and key store to your car and car keys. The key store is separate from your database because tying them together would be like leaving your car key in the door lock; your door might be locked, but the probability of someone "breaking in" is greatly increased. Also like your car, you want to have a secure back up of your car keys or key store in case the original is lost.