Password Rotation

"Password rotation" in DbDefence is related to the process of changing the access password to the database. It does not affect the .dbd_key files. Initially, the password used to access the database is the same as the password used for encryption. However, you can easily and quickly change the access password. It is a good idea to change it immediately after encryption.

Adding a new password.

A password added with this method can only be used to unlock access to the database. The password can't be used to decrypt the database. To decrypt the database you would need to use the password initially used for encryption. Many passwords can be added. Passwords don't overwrite each other and can be used simultaneously. Access passwords are affected by backup/restore commands: if you restore an old backup, then any passwords created after the backup become invalid.

Backups of the database are encrypted with the initial encryption password. Backup encryption is not affected by the access password.

To add a new password, you must unlock the database:

Then add new password:

ALTER SYMMETRIC KEY dbdx ADD ENCRYPTION BY PASSWORD='SomePass2'

Removing an existing password

You may remove the password previously added with the ALTER SYMMETRIC KEY function or the password used for encryption. To remove the password, you must unlock the database with one of the existing passwords:

OPEN SYMMETRIC KEY dbdx DECRYPTION BY PASSWORD='SomePass1'

ALTER SYMMETRIC KEY dbdx DROP ENCRYPTION BY PASSWORD='SomePass2'

Access passwords are affected by backup/restore commands. If you remove a password and then restore an old backup, the password becomes valid again.

Database re-encryption

Unlike the add/remove password command the process of re-encryption may be very time consuming. During this process the database is offline and not accessible by users. You may use DbDefence GUI as well as the command line tool to decrypt and then encrypt the database.