Password Rotation

"Password rotation" in DbDefence is related to the process of changing access password to the database. It does not affect .dbd_key files. Initially, the password used to access the database is the same as the password used for encryption. However you may change the access password easily and quickly. Good idea to change it immediately after encryption.

Adding new password.

The password added with this method can only be used to unlock access to the database. The password can't be used to decrypt the database. To decrypt the database you would need to use the password initially used for encryption. Many passwords can be added. Passwords don't overwrite each other and can be used simultaneously. Access passwords are affected by backup/restore commands: if you restore an old backup then passwords created after the backup becomes invalid.

Backups of the database encrypted with the encryption password and not affected by access password.

To add a new password you must unlock the database:

OPEN SYMMETRIC KEY dbdx DECRYPTION BY PASSWORD='SomePass1'

Then add new password:

ALTER SYMMETRIC KEY dbdx ADD ENCRYPTION BY PASSWORD='SomePass2'

Removing existing password.

You may remove the password previously added with ALTER SYMMETRIC KEY function or the password used for encryption. To remove the password you must unlock the database with one of existing passwords:

OPEN SYMMETRIC KEY dbdx DECRYPTION BY PASSWORD='SomePass1'

ALTER SYMMETRIC KEY dbdx DROP ENCRYPTION BY PASSWORD='SomePass2'

Access passwords are affected by backup/restore commands. If you remove a password and then restore an old backup the password becomes valid again.

Database re-encryption.

Unlike add/remove password command the process of re-encryption may be very time consuming. During this process the database is offline and not accessible by users. You may use DbDefence GUI as well as the command line tool to decrypt and then decrypt database.