vij*_*jay 6 sql-server-2008 encryption
我们将用户关联到具有有限权限的模式。在运行期间,我们使用相同的用户登录生成对称密钥。由于用户具有有限的权限,我们现在无法创建密钥。
如何授予此用户在 sql server 2008 中创建、读取和执行对称密钥的权限?
Edw*_*and 12
如果您创建没有证书的密钥,例如:
CREATE SYMMETRIC KEY smTestKey
WITH ALGORITHM=AES_256
, IDENTITY_VALUE = 'Key to protect bla'
, Key_SOURCE = N'Secret pass phrase'
ENCRYPTION BY PASSWORD = 'secret password';
那么以下就足够了:
GRANT ALTER ANY SYMMETRIC KEY TO dbuser
如果您创建由证书(由另一个数据库用户创建)加密的对称密钥,例如:
CREATE SYMMETRIC KEY smTestKeyCert
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE testCert;
那么您还需要证书的 VIEW DEFINITION 权限:
GRANT VIEW DEFINITION ON CERTIFICATE::testcert TO dbuser
但是,如果您想通过使用证书解密来打开对称密钥,则打开密钥的 dbuser 需要对证书具有 CONTROL 权限:
GRANT CONTROL ON CERTIFICATE::testcert TO dbuser
更新 总结:
你的场景:
--UserA needs to create Asymmetric keys so needs ALTER ANY ASYMMETRIC KEY PERMISSION
GRANT ALTER ANY ASYMMETRIC KEY TO userA
--UserB needs to create Symmetric keys so needs ALTER ANY SYMMETRIC KEY PERMISSION
GRANT ALTER ANY SYMMETRIC KEY TO userB
--UserA creates Asymmetric keys that are used by userB to create Symmetric keys and later open them
--So userA must create the Asymmetric key and Also give CONTROL permission on the Asymmetric key to UserB
--Create Asymmetric key
CREATE ASYMMETRIC KEY asym_CommonKey
WITH ALGORITHM = RSA_2048
ENCRYPTION BY PASSWORD = 'admin@123';
--Give control permission to UserB
GRANT CONTROL ON ASYMMETRIC KEY::asym_CommonKey to UserB
--UserB creates a symmetric key using the Asymmetric key from userA
--Note, at this stage VIEW DEFINITION permission on the Asymmetric key would have been sufficient
CREATE SYMMETRIC KEY sym_CommonKey
WITH ALGORITHM = AES_256
ENCRYPTION BY ASYMMETRIC KEY asym_CommonKey
--UserB opens the Symmetric key, decrypting it with the Asymmetric Key
--Note, at this stage User B needs the CONTROL permission on the Asymmetric key.
OPEN SYMMETRIC KEY sym_CommonKey DECRYPTION BY ASYMMETRIC KEY asym_CommonKey with password ='admin@123'
来源:
需要对数据库具有 ALTER ANY SYMMETRIC KEY 权限。如果指定了 AUTHORIZATION,则需要对数据库用户具有 IMPERSONATE 权限或对应用程序角色具有 ALTER 权限。如果通过证书或非对称密钥加密,则需要对证书或非对称密钥具有 VIEW DEFINITION 权限。只有 Windows 登录名、SQL Server 登录名和应用程序角色才能拥有对称密钥。组和角色不能拥有对称密钥。
调用者必须对该键有一定的权限,并且不能被拒绝对键的 VIEW DEFINITION 权限。其他要求因解密机制而异:
Run Code Online (Sandbox Code Playgroud)DECRYPTION BY CERTIFICATE: CONTROL permission on the certificate and knowledge of the password that encrypts its private key. DECRYPTION BY ASYMMETRIC KEY: CONTROL permission on the asymmetric key and knowledge of the password that encrypts its private key. DECRYPTION BY PASSWORD: knowledge of one of the passwords that is used to encrypt the symmetric key.
| 归档时间: |
|
| 查看次数: |
23573 次 |
| 最近记录: |