Installation guide
See also
•
Downgrading from Adaptive Server 15.7 ESD #2
on page 106
Downgrading an Adaptive Server That Uses Encryption
Downgrade an Adaptive Server versions 15.7 and later if you enabled 256-bit key encryption
keys.
1.
Set the downgrade_kek_size configuration option to true. This means you must change
the key encryption key size to 128 bits.
2.
Run
sp_downgrade
to find all column encryption keys (CEKs) and key copies that are
protected by master keys or by dual control.
3.
Drop dual control for each CEK:
alter encryption key keyname
[with passwd password
modify encryption
with no dual_control
4.
Use
drop encryption key
to drop user and login password-protected key copies.
5.
Create a system encryption password for each database that has master keys:
sp_encryption system_encr_passwd, <password>
6.
Reencrypt each CEK with the master key:
alter encryption key keyname
with passwd master key
modify encryption
with passwd system_encr_passwd
Note: The key owner must perform the reencryption for each CEK, or else the key
ownership changes.
7.
Reencrypt all base keys that are protected by user passwords:
alter encryption key keyname
with passwd old_password
modify encryption
with passwd new_passwd
Note: The key owner must perform the reencryption for each base key; otherwise, the key
ownership changes.
CHAPTER 11: Adaptive Server Downgrades
Installation Guide 113