3.6.3 Password protect encryption keys

Information

Sybase ASE 15.0.2 supports per encryption key passwords that can be used to restrict
access to encrypted data. This can be used to limit DBO and system administrator access to
data; a user must have knowledge of the encryption key password as well as the decrypt
permission on the column in order to decrypt the data.

Rationale:

Depending on your organizations security policy it may be a requirement to restrict data
access to a small subset of users that excludes system administrators; encryption key
passwords provide a means of accomplishing this within Sybase ASE.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

1. Connect to the ASE server as a user with either the sso_role or the
keycustodian_role and execute the following SQL statement to create an
encryption key with a password (where <KeyName> should be substituted for the
chosen key name and <Password> for a strong password). Note that the following
statement is provided as an example only; the Sybase ASE 15.0.2 Reference Manual
contains the full syntax for the create encryption key command.

create encryption key <KeyName> with passwd '<Password>'

See Also

https://workbench.cisecurity.org/files/1612

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(c)

Plugin: SybaseDB

Control ID: 69254edcbc6270df695333e01d6f87684bcdb8bf43bde45b906dd4c0af89a552