Ale*_*r T 5 sql database sql-server encryption symmetric-key
我使用下一个代码创建SQL加密密钥
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<Pass>'
CREATE CERTIFICATE MyEncryptCert WITH SUBJECT = 'Descryption', EXPIRY_DATE = '2115-1-1'
CREATE SYMMETRIC KEY MySymmetricKey WITH ALGORITHM = AES_256 ENCRYPTION BY CERTIFICATE MyEncryptCert
我如何加密数据
OPEN SYMMETRIC KEY MySymmetricKey DECRYPTION BY CERTIFICATE MyEncryptCert
SET @Result = ENCRYPTBYKEY(KEY_GUID('MySymmetricKey'), '<String to encrypt>')
CLOSE SYMMETRIC KEY MySymmetricKey
我能够备份数据库主密钥和证书。
BACKUP MASTER KEY TO FILE = 'c:\temp\key' ENCRYPTION BY PASSWORD = '<Pass>';
BACKUP CERTIFICATE MyEncryptCert TO FILE = 'c:\temp\cert' WITH PRIVATE KEY(ENCRYPTION BY PASSWORD='<Pass>', FILE='C:\temp\cert.pvk')
但是我不能备份对称密钥。没有它,如果我将加密表移至另一个数据库,则无法解密加密数据。
有什么解决办法吗?
PS我尝试了下一个代码,但对我来说似乎并不安全,因为如果您知道KEY_SOURCE和IDENTITY_VALUE,则实际上不需要原始的数据库主密钥和证书即可解密数据
CREATE SYMMETRIC KEY MySymmetricKey WITH KEY_SOURCE = '<Pass1>', ALGORITHM = AES_256, IDENTITY_VALUE = '<Pass2>' ENCRYPTION BY CERTIFICATE MyEncryptCert
如果您需要具有复制对称密钥的能力,您应该提供KEY_SOURCE和IDENTITY_VALUE。您的评估是正确的,通过了解这两个值,您可以重新创建密钥。观察以下代码,该代码表明我可以通过使用“第一个”密钥加密一个值,删除密钥,使用相同的KEY_SOURCE和重新生成它IDENTITY_VALUE,然后解密加密的值来创建相同的密钥两次作为证据。
CREATE SYMMETRIC KEY MySymmetricKey WITH
KEY_SOURCE = '<Pass1>',
ALGORITHM = AES_256,
IDENTITY_VALUE = '<Pass2>'
ENCRYPTION BY Password = 'foobar!23'
open symmetric key MySymmetricKey
decryption by password = 'foobar!23';
declare @encrypted varbinary(max);
select @encrypted = ENCRYPTBYKEY(KEY_GUID('MySymmetricKey'), 'my secrets!');
close symmetric key MySymmetricKey;
drop symmetric key MySymmetricKey;
CREATE SYMMETRIC KEY MySymmetricKey WITH
KEY_SOURCE = '<Pass1>',
ALGORITHM = AES_256,
IDENTITY_VALUE = '<Pass2>'
ENCRYPTION BY Password = 'foobar!23'
open symmetric key MySymmetricKey
decryption by password = 'foobar!23';
select cast(DECRYPTBYKEY(@encrypted) as varchar(max))
close symmetric key MySymmetricKey;
drop symmetric key MySymmetricKey;