Information
Sybase ASE allows columns to be encrypted with keys that reside in the same database or
in different databases. Encryption keys should be stored in a separate database from the
data that they are used to encrypt.
Rationale:
In the event of the theft of a database dump, the attacker must have access to dumps of the
encryption key database and the database holding the encrypted data rather than a single
database that holds both the keys and the encrypted data.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
1. Connect to the ASE server as a user with the sso_role or the keycustodian_role
and execute the following SQL statement to create an encryption key in a specified
database (where <Database> should be substituted for the database that is to hold
the encryption key, <Owner> for key owner and <KeyName> for the key name). Note
that the following statement is provided as an example only; the Sybase ASE 15.0.2
Reference Manual contains the full syntax for the create encryption key
command.
create encryption key <Database>.<Owner>.<KeyName>