ADMIN_ROTATE_MASTER_KEY procedure - Change the database master key
The ADMIN_ROTATE_MASTER_KEY procedure changes the master key for an encrypted database.
Authorization
- EXECUTE privilege on the routine. EXECUTE privilege on this routine can be granted only by the security administrator (SECADM).
Default PUBLIC privilege
None
Syntax
The schema is SYSPROC.
Procedure parameters
-
label
- An input and output parameter of type VARCHAR(255) that specifies the label of the new master
key to be rotated. The label is associated with a master key at the keystore. If a label is
specified, it must be associated with a master key at the keystore. If there is no association, the
procedure fails. If this parameter is NULL, a new master key and master key label is
generated.Note:
When the allow_key_insert_without_keystore_backup configuration knob is off you cannot use the automatically generated master key.
Information returned
| Column name | Data type | Description |
|---|---|---|
| LABEL | VARCHAR(255) | The name of the new master key that protects the database encryption key. |
Usage notes
Rotation of the master key label should be done according to the organization's security policy. This is similar to changing user passwords at a regular interval, which is also enforced by a security policy. Before performing a master key rotation, you must ensure that the specified label is defined at the keystore and mapped to an existing master key.
This procedure does not re-encrypt any of the data stored on disk.
In a partitioned database environment, ensure that all database partitions are active before calling this procedure.
Examples
CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY('UserGivenLabel')
Value of output parameters
--------------------------
Parameter Name : LABEL
Parameter Value : UserGivenLabel
Return Status = 0CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY (NULL)
Value of output parameters
--------------------------
Parameter Name : LABEL
Parameter Value : DB2_SYSGEN_instancename_dbname_timestamp
Return Status = 0