From InterBase
Jump to: navigation, search

Go Up to Statement and Function Reference (Language Reference Guide)

Used to delete an encryption key from a database.

DROP ENCRYPTION key-name [restrict | cascade]
Argument Description


Specifies the name of the encryption key to drop from the database.


This is the sub-command which is the default drop behavior.


Decrypts all fields in all relations encrypted by it.

Description: An encryption key can be dropped (deleted) from the database. Only the SYSDSO can execute this command. The command fails if the encryption key is still being used to encrypt the database. If any table columns are encrypted when "restrict" is specified, which is the default drop behavior, the command also fails. If "cascade" is specified, then all columns using that encryption are decrypted and the encryption is dropped “Restrict” and “Cascade” are the only options available for this command.

In the case of Column-level Encryption use, although DROP ENCRYPTION CASCADE decrypts all fields in all relations encrypted by it, that decryption process makes back versions of the decrypted records, which remain dependent on the existence of the encryption. The encryption is only marked for deletion.

The next time the database is swept, database sweep completion checks for any record formats that still depend on a “marked for deletion” encryption. If there are none, the encryption is fully deleted at that time.

If you are trying to completely remove all encryption from your database and are presented with an "unsuccessful metadata update encryptions still exist", you need to sweep the database after the DROP ENCRYPTION CASCADE and before ALTER DATABASE SET NO SYSTEM PASSWORD.

Example: The following example uses the cascade option to decrypt all columns using the revenue_key and to delete the key:

drop encryption revenue_key cascade

See Also

Advance To: