Once you have established your encryption policies and all your data is encrypted, you will need to perform some policy maintenance. Periodically, your encryption policies should be updated with a new key. A new key keeps the encryption cipher the same, but provides new input to the cipher algorithm. The following figure depicts the periodic updating of encryption policies in the life cycle of encrypted data.
Figure 12. Encrypted data life cycle
Encryption policies are rekeyed in several ways. See one of the following sections for more information:
The following guidelines apply to object encryption policies:
There can be no more than two active (current and previous) encryption policies associated with a database object.
If one policy exists for a database object (the current policy), you can create a new version of the policy. The new version becomes the current policy and the other becomes the previous.
If two policies (current and previous) exist for an object, you can not create another version of the policy until all data encrypted with the "previous" policy, is migrated to the "current" policy.
To rekey a policy with Data Admin, see Rekeying encryption policies with the Data Administration tool.
