Who Can Create Encryption?
Encryption tasks, which are summarized in the table on the page An Overview of Encryption Tasks, are primarily performed by the following users: a SYSDSO, the database owner, and any individual table owners who are given permission to encrypt specific columns in a table. InterBase requires the creation of the System Database Security Owner (SYSDSO) user to implement specific encryption tasks. SYSDSO is a reserved user name, similar to SYSDBA.
The database owner is typically the person who creates the database. The database owner may or may not also be the administrator of the database.
The SYSDSO role controls three significant steps in the encryption process:
- Creates a System Encryption Password (SEP).
- Creates the encryption keys.
- Grants the database owner access to the encryption keys, which s/he then uses to encrypt the database and/or its columns.
However, the SYSDSO cannot encrypt databases or columns, nor can s/he grant or revoke access to encrypted data. Only a database owner and/or an individual table owner can actually encrypt a database or columns in a database; the SYSDSO simply creates the tools (the encryption keys) that are needed to perform the encryption. Requiring that multiple users set up and implement encryption, rather than just one, adds an additional layer of database security.
In addition, only the user who encrypts a column or database can grant decrypt privileges to those who need to view or modify the encrypted data. For more information about granting decrypt permission, see Granting Decrypt Permission.
Generally speaking, only the user who grants the permission can revoke the permission. For more information, see Revoking Encrypt and Decrypt Permissions.
- Note: Decrypt permission is only required for column-level encryption. It is not required for database-level encryption.