I have an existing SQL Server 2005 database that contains data encrypted using a Symmetric key. The symmetric key is opened using a password. I am working on an upgrade to the front end applications that use this database, which include adding dozens of new tables, stored procedures, UDFs, etc. and dozens of modifications to existing tables and database objects. To that end I am making a copy of the existing development database, so that the current system can be independently supported, maintained, and updated while new development takes place.
What is a good way to go about copying the database? Normally, I'd take a backup of the existing database, and then restore it to the new database. However, will this be feasible given the encrypted data? Will I still be able to encrypt and more importantly decrypt data in the new database using the existing symmetric key and password?
Might I instead want to use DTS to transfer the existing schema only. Create a new symmetric key/password in the new database. Then write ad hoc queries to transfer the data, decrypting using existing key/password, and encrypting using new key/password in new database.
I guess at the heart of this is, are symmetric keys good for encrypting/decrypting data in a single database or in many databases on the same server?
The Symmetric keys you are referring to are Database Master Keys (DMKs). They are held at the Database level, so a backup/restore to another SQL server should work OK (with the caveat of differing service accounts, which this thread alludes to)
Before you do anything make sure you have a backup of your keys (presumably you've already done this):
USE myDB
GO
BACKUP MASTER KEY TO FILE = 'path_to_file'
ENCRYPTION BY PASSWORD = 'password'
GO
From this article:
When you create a Database Master Key,
a copy is encrypted with the supplied
password and stored in the current
database. A copy is also encrypted
with the Service Master Key and stored
in the master database. The copy of
the DMK allows the server to
automatically decrypt the DMK, a
feature known as "automatic key
management." Without automatic key
management, you must use the OPEN
MASTER KEY statement and supply a
password every time you wish to
encrypt and/or decrypt data using
certificates and keys that rely on the
DMK for security. With automatic key
management, the OPEN MASTER KEY
statement and password are not
required.
Related
What is the best and easiest way to copy an Azure SQL Server database with encrypted columns from one subscription to another.
Tried to export to a .bacpac file but it errors with
SQL71626 (certificate/symmetric key is not supported in Microsoft Azure SQL Database v12)
Should I make a copy and then remove the keys before I export/import?
Congratulations your question is answered here:
Copy SQL database with encryption from one Azure subscription to another.
I post it as the answer and this can be beneficial to other community members.
SQLPackage.exe is used to export the database and it does not support symmetric keys. If you can copy the database, then drop the symmetric key and the certificate on the database created by the copy operation. After that you will be able to export that copy of the database as a bacpac.
I don't know about encryption keys much. But I got a project where I need to transfer SQL Server database from one computer to another. I can't connect it online as the database needs to be local only. Also I generated create scripts of complete database using SSMS. But create scripts of asymmetric keys are not generated. I want to know that if I create asymmetric key with the password given by the project owner, will old data still be validated from it? I mean does asymmetric key is system independent?
First, I would recommend getting an overview on column level encryption through a book, video, technical session during a SQL Saturday or other means. Even though I am going to provide the solution, you need a solid understanding of how the encryption system works so that you will understand how to avoid losing encrypted data by making a mistake. That said, the solution is to backup the database, then backup the Database Master Key providing a password to encrypt the key in the file specified. Migrate the files to the destination server then restore the database and restore the Database Master Key using the password previously provided. This will complete the encryption hierarchy. Since all database keys, including asymmetric and symmetric keys, are backed up with the database, they will be transferred to the destination server in the backup file.
This is a bit of the opposite of how this question is usually asked-- I used the following to create a database master key, a certificate, and a symmetric key:
Here's how I created the certs/keys (obviously with real passwords):
CREATE MASTER KEY ENCRYPTION
BY PASSWORD = '123456'
CREATE CERTIFICATE EncryptionCert
WITH SUBJECT = 'EncryptionCert'
CREATE SYMMETRIC KEY SymmetricKey
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE EncryptionCert;
I then encrypted some data using that key, backed up the database, and restored it to a different box.
My expectation was that I wouldn't be able decrypt the data until I first migrated the service master key from the old box, but I actually was able to do that immediately after restoring without providing a single cert or password.
I deduced that this was happening because I was using an Amazon EC2 image to create the box, so I'm assuming that EVERY box created from that image had the same service master key.
To try to force the service key to change, I ran:
alter service master key regenerate
on both boxes.
I started over with a new database, new keys/certs etc, and this time, when I moved the backup to the new box, I wasn't able to automatically read the data, but I had to first provide the password for the database master key that I created. Once I did that, I was able to get to the data.
From everything I read, I would have thought that I wouldn't be able to decrypt the master key without moving the service master key first.
I'm concerned that the service master key not being required is still due to an oddity of my test environment, and that I might get screwed in a year when I try to do this for real.
Can anyone shed light on what's happening here? Did something change in SQL that made it unnecessary to move the service master key, or did I create the database master key in a way that made moving it unnecessary? Or am I getting back potentially false results?
Matt Bowler has en excellent article on database encryption. The issue may be the way the Server Master Key is encrypted. Is it possible that your instances are run by the same service account?
Service Master Key: At the top of the key hierarchy is the Service Master Key. There is one per SQL Server instance, it is a symmetric key, and it is stored in the master database. Used to encrypt Database Master Keys, Linked Server passwords and Credentials it is generated at first SQL Server startup.
There are no user configurable passwords associated with this key – it is encrypted by the SQL Server service account and the local machine key. On startup SQL Server can open the Service Master Key with either of these decryptions. If one of them fails – SQL Server will use the other one and ‘fix’ the failed decryption (if both fail – SQL Server will error). This is to account for situations like clusters where the local machine key will be different after a failover. This is also one reason why service accounts should be changed using SQL Server Configuration Manager – because then the Service Master Key encryption is regenerated correctly.
http://mattsql.wordpress.com/2012/11/13/migrating-sql-server-databases-that-use-database-master-keys/
I m bit new to this field of DBA i wanted to know is there any codes available to encrypt the entire database as we have a huge database maintained in sqlserver 2005 .
I know that it is not safe to encrypt the entire database but we ha such kind of requirement moreover the in the application end they don't want to encrypt it.
i want the process to be as the data comes through the application end into the database it should be encrypted and stored and while retrieving the data it must be decrypted with a certificate/key as provided and shown. I don't want to use any 3rd party tools as it has been instructed.
i searched through the net and found that we can encrypt columns and stored procedure through asymmetric/symmetric key but i need to encrypt the entire database(selected tables is also ok) can you all help me in that.
I don't think there is an easy way to do it in 2005, you would need to redefine all (or most) of your tables to take encrypted data (varbinary) and then you'd lose the ability to do searches and comparisions and a whole heap of other stuff.
For 2008 there is Transparent Data(base) Encryption, which encrypts at the file level (when SQL server writes data) no changes required to your applications.
Search for SQL Server TDE and have a look around.
I have some data in my user database that I would prefer to be encrypted. Most of the data will need to be decrypted when requested, but there are also passwords that can stay encrypted (in the old days we would use pwdcompare but I believe this is obsolete now).
I have followed the steps here, so I have now successfully encrypted my data.
What I don't understand is the correct way to open the master key at runtime, in order to encrypt/decrypt data. If I want to use stored procedures to retrieve encrypted data, how do I go about opening the master key? Do I pass in the master key's password using a stored proc parameter?
As I have understood, you should create master key once (you can do this during installation process) and this is the first and last time password is needed. After that, using master key create encryption key (symmetric or asymmetric) without a password and use it to encrypt/decrypt your data. You don't have to give a password for it, all you need is use your encryption key and have CONTROL permission on it. The only issue is that your DBA can have it too :)
See this article: Using Asymmetric Encryption and Digital Signatures in a SQL Server 2005 Database