Updated on 2024-05-07 GMT+08:00

ALTER COLUMN ENCRYPTION KEY

Function

ALTER COLUMN ENCRYPTION KEY encrypts the CMKs of CEKs in round robin (RR) mode and encrypts the plaintext of CEKs.

Precautions

  • This syntax is specific to the fully-encrypted database. When connecting to the database server, enable the fully-encrypted database before using this syntax.
  • This syntax takes effect on CMKs only. Encrypting the plaintext of CEKs does not change the ciphertext of the encrypted columns.

Syntax

ALTER COLUMN ENCRYPTION KEY column_encryption_key_name WITH VALUES ( CLIENT_MASTER_KEY = client_master_key_name );

Parameter Description

  • column_encryption_key_name

    Specifies the key name. In the same namespace, the value of this parameter must be unique.

    Value range: a string. It must comply with the naming convention.

  • client_master_key_name
    Specifies the CMK used to encrypt the CEK. The value is the CMK name, which is created using the CREATE CLIENT MASTER KEY syntax. The encrypted CMKs are different from those specified before RR encryption.

    The constraints of using Chinese cryptographic algorithms are as follows:

    SM2, SM3, and SM4 are Chinese cryptographic algorithms. To avoid legal risks, these algorithms must be used together. The Chinese cryptographic algorithms used for the RR encryption must be the same as those used before RR encryption.

Example

For details, see 8.15.63-Examples in section "CREATE COLUMN ENCRYPTION KEY."