Change keys for password encryption and decryption

On the host, you can change the key used for encrypting and decrypting passwords by using the syntax as in the following example:

SET SYSTEM DEFAULT HOSTKEY TO <keystore name>.<key name>;

<keystore name>: Name of the keystore.
<key name>: Name of the key, which must be of type AES_256.

Or you can set the default to NONE, which reencrypts the format on the host side, as in the following example:

SET SYSTEM DEFAULT HOSTKEY TO NONE;

Since some users can have a mix of host and client versions, the .nzpassword file on the client might need to be accessed by different clients, some that understand the old Blowfish format, and some that understand both the Blowfish format and the AES_256 format. In such cases, the .nzpassword file needs to be maintained in the old format. If you are using the Blowfish format, you can continue to add passwords in that format.

To enforce the improved security available with the AES_256 format, you can convert old format passwords to new by running nzpassword resetkey. You can also run nzpassword resetkey to change the client key if the passwords are already in AES_256 format. This command creates a client key and re-encrypts all the user passwords stored on the client with a newly auto-generated client key. For information about this command, see the IBM® Netezza® Database User’s Guide.

To convert all AES_256-encrypted passwords to Blowfish-encrypted passwords, such as for a major downgrade, run nzpassword resetkey -none. This command re-encrypts the user passwords in the old format and stores them. For more information, see the IBM Netezza System Administrator’s Guide.