PHILLY.NETCODE CAMP

2010.1

April 10, 2010

Platinum and Gold Partners

Data Encryption and Key Management in SQL

Said SalomonDatabase AdministratorUnitrin Direct Insurance

Who am I?

I has over 25 year experience as an Information Technology Professional. He has a vast array of abilities in the field in the areas of Network, Desktop Support, DBA, Staff Project Management, Application Software Development, Business Analysis and Quality Assurance. I have Microsoft certifications as a MCTS, MCPS, and MCNPS, and multiple certifications from the Insurance Institute of America. Current Said is a DBA at Unitrin Direct Insurance.

SQL Key Management Overview

2008 Key Management Overview

Service Master Key

One per server instance Backup Restore Alter Is automatically generated when needed There is not create command for

Service Master Key

Database Master Key

One per database Is encrypted by the server master key

and the password used when created.

Certificate

Can have as many as need Is encrypted by the database master key

as well as the password use on the certificate

Asymmetric key

Why? Public key Private key No backup Poor performance (100 x)

Symmetric key

Can have as many as needed Is encrypted by the Certificate or

Asymmetric key or Symmetric key or password

Algorithms DES | TRIPLE_DES | TRIPLE_DES_3KEY | RC2 | RC4 | RC4_128 | DESX | AES_128 | AES_192 | AES_256

No Backup

Symmetric Functions

EncryptByKey DecryptByKey EncryptByPassPhrase DecryptByPassPhrase Key_ID Key_GUID

Asymmetric Functions

EncryptByAsmKey DecryptByAsmKey EncryptByCert DecryptByCert Cert_ID AsymKey_ID CertProperty

Demo

SQL Encryption Step-by-Step

Backup Service Master Key BACKUP SERVICE MASTER KEY TO

FILE = 'path_to_file' ENCRYPTION BY PASSWORD = 'password'

Restore Service Master Key RESTORE SERVICE MASTER KEY

FROM FILE = 'path_to_file' DECRYPTION BY PASSWORD = 'password' [FORCE]

Create (Database) Master Key

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'password'

Backup (Database) Master Key

BACKUP MASTER KEY TO FILE = 'path_to_file' ENCRYPTION BY PASSWORD = 'password'

Restore (Database) Master Key

RESTORE MASTER KEY FROM FILE = 'path_to_file' DECRYPTION BY PASSWORD = 'password' ENCRYPTION BY PASSWORD = 'password' [ FORCE ]

Sharing a symmetric key

CREATE SYMMETRIC KEY test_aes128_keyWITH KEY_SOURCE = 'I am the very model of a modern major general',    IDENTITY_VALUE = 'E pluribus unum',    ALGORITHM = AES_128ENCRYPTION BY PASSWORD = 'p@$$w0rd';

DemoTransparent Data Encryption (2008 only)

Questions?

Please complete the online evaluation form

Resources

SQL 2005 Symmetric Encryption By Michael Coles http://bit.ly/bFQsro

My web sitehttp://www.timelordshangout.com

My TwitterSaidSalomon