DB2 10.5 for Linux, UNIX, and Windows

ADMIN_ROTATE_MASTER_KEY procedure - Change the database master key

The ADMIN_ROTATE_MASTER_KEY procedure changes the master key for an encrypted database.


The following authorization is required:
  • EXECUTE privilege on the routine. EXECUTE privilege on this routine can be granted only by the security administrator (SECADM).

Default PUBLIC privilege



Read syntax diagramSkip visual syntax diagram

The schema is SYSPROC.

Procedure parameters

An input and output parameter of type VARCHAR(255) that specifies the label of the new master key to be rotated. The label is associated with a master key at the keystore. If a label is specified, it must be associated with a master key at the keystore. If there is no association, the procedure fails. If this parameter is NULL, a new master key and master key label is generated.

Information returned

Table 1. Information returned by the ADMIN_ROTATE_MASTER_KEY procedure
Column name Data type Description
LABEL VARCHAR(255) The name of the new master key that protects the database encryption key.

Usage notes

Rotation of the master key label should be done according to the organization's security policy. This is similar to changing user passwords at a regular interval, which is also enforced by a security policy. Before performing a master key rotation, you must ensure that the specified label is defined at the keystore and mapped to an existing master key.

This procedure does not re-encrypt any of the data stored on disk.

In a partitioned database environment, ensure that all database partitions are active before calling this procedure.


Rotate the master key with the specified label.

  Value of output parameters
  Parameter Name  : LABEL
  Parameter Value : UserGivenLabel

  Return Status = 0
Rotate the master key without a specific label.

  Value of output parameters
  Parameter Name  : LABEL
  Parameter Value : DB2_SYSGEN_instancename_dbname_timestamp

  Return Status = 0