DB2 10.5 for Linux, UNIX, and Windows

ADMIN_ROTATE_MASTER_KEY procedure - Change the database master key

The ADMIN_ROTATE_MASTER_KEY procedure changes the master key for an encrypted database.

Authorization

The following authorization is required:
  • EXECUTE privilege on the routine. EXECUTE privilege on this routine can be granted only by the security administrator (SECADM).

Default PUBLIC privilege

None

Syntax

Read syntax diagramSkip visual syntax diagram
>>-ADMIN_ROTATE_MASTER_KEY--(--label--)------------------------><

The schema is SYSPROC.

Procedure parameters

label
An input and output parameter of type VARCHAR(255) that specifies the label of the new master key to be rotated. The label is associated with a master key at the keystore. If a label is specified, it must be associated with a master key at the keystore. If there is no association, the procedure fails. If this parameter is NULL, a new master key and master key label is generated.

Information returned

Table 1. Information returned by the ADMIN_ROTATE_MASTER_KEY procedure
Column name Data type Description
LABEL VARCHAR(255) The name of the new master key that protects the database encryption key.

Usage notes

Rotation of the master key label should be done according to the organization's security policy. This is similar to changing user passwords at a regular interval, which is also enforced by a security policy. Before performing a master key rotation, you must ensure that the specified label is defined at the keystore and mapped to an existing master key.

This procedure does not re-encrypt any of the data stored on disk.

In a partitioned database environment, ensure that all database partitions are active before calling this procedure.

Examples

Rotate the master key with the specified label.
CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY('UserGivenLabel')

  Value of output parameters
  --------------------------
  Parameter Name  : LABEL
  Parameter Value : UserGivenLabel

  Return Status = 0
Rotate the master key without a specific label.
CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY (NULL)

  Value of output parameters
  --------------------------
  Parameter Name  : LABEL
  Parameter Value : DB2_SYSGEN_instancename_dbname_timestamp

  Return Status = 0