Adds a key to a keyset and sets it as the master key.
Syntax
binary ADD_KEY_TO_KEYSET(binary <keyset>, string <key_type>, binary <raw_key>, [string <description>])Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
keyset |
Yes | BINARY | An existing keyset. |
key_type |
Yes | STRING | The encryption algorithm of the key to add. Valid values: AES-GCM-256, AES-SIV-CMAC-128, AES-SIV-CMAC-256. |
raw_key |
Yes | BINARY | The key to add. After the call, this key becomes the master key of the keyset. |
description |
No | STRING | A description of the data key. |
Return value
Returns the updated keyset as a BINARY value.
Use HEX to convert a BINARY value to STRING, or UNHEX to convert a STRING value back to BINARY.
Examples
The following example adds a key with the AES-SIV-CMAC-128 algorithm to an existing keyset and returns the updated keyset as a hex-encoded string.
SELECT HEX(
ADD_KEY_TO_KEYSET(
UNHEX('0A1072384D715A414541385044643351534C12580A330A0B4145532D47434D2D323536122026A8FB1126DF4F5B5DD03C180E6919565D7716CBB291815EFB5BBF30F8BEF9AF1801200210011A1072384D715A414541385044643351534C20022A0B68656C6C6F20776F726C64'),
'AES-SIV-CMAC-128',
UNHEX('b75585cf321cdcad42451690cdb7bfc49c26092f60f854e72d43244c55620a3d'),
'description'
)
);Output:
+------------+
| _c0 |
+------------+
| 0A10596530735A5145414150447273424C4212580A330A0B4145532D47434D2D323536122026A8FB1126DF4F5B5DD03C180E6919565D7716CBB291815EFB5BBF30F8BEF9AF1801200210011A1072384D715A414541385044643351534C20022A0B68656C6C6F20776F726C64125D0A380A104145532D5349562D434D41432D3132381220B75585CF321CDCAD42451690CDB7BFC49C26092F60F854E72D43244C55620A3D1801200110011A10596530735A5145414150447273424C4220022A0B6465736372697074696F6E |
+------------+References
| Reference | Description |
|---|---|
| Use keysets | How to use keyset-based encryption and decryption functions. |
| NEW_KEYSET | Creates a keyset based on a specified algorithm. |
| KEYSET_TO_JSON | Converts a BINARY keyset to a readable JSON string. |
| KEYSET_FROM_JSON | Converts a JSON keyset back to BINARY. |
| ROTATE_KEYSET | Generates a new key and sets it as the master key. |
| NEW_WRAPPED_KEYSET | Creates a wrapped keyset protected by a Key Management Service (KMS) customer master key (CMK). |
| REWRAP_KEYSET | Re-encrypts a wrapped keyset using a different KMS key. |
| ROTATE_WRAPPED_KEYSET | Rotates the master key of a wrapped keyset. |
| USE_WRAPPED_KEYSET | Converts a wrapped keyset to a basic keyset for use in encryption or decryption functions. |
| ENHANCED_SYM_ENCRYPT | Encrypts data using a specified keyset. |
| ENHANCED_SYM_DECRYPT | Decrypts data using a specified keyset. |