From a database certificate backup with private key, I'm looking to convert the two files into one .pfx file, to store it in a secure key vault. Currently using SQL server 2019
I look at the certs currently in use within the master database
`SELECT C.name,
C.certificate_id,
C.pvt_key_encryption_type,
C.pvt_key_encryption_type_desc,
C.subject,
C.expiry_date,
C.start_date,
C.thumbprint
FROM sys.certificates AS C;`
CertName1 appears on this list, encrypted by the master database
Take a backup of the certificate with private key
`BACKUP CERTIFICATE CertName1
TO FILE ='C:\temp\CertName1.crt'
WITH PRIVATE KEY(
FILE = 'C:\temp\CertName1.key',
ENCRYPTION BY PASSWORD = 'MadeUpPassword101!'
);`
This creates two files CertName1.crt, CertName1.key
Using certutil within Windows, I try to combine the files into one .pfx
`certutil -mergepfx CertName1.crt CertName1.pfx`
I get an error saying ASN1 bad tag value met. Doing some research, this error means the key doesn't match the certificate.
Will I need to use the master key instead, which pretty much makes this useless as will need the private key to restore the encrypted database? Or is this something that can't be done with SQL certificates?
Related
I have some confusion about Always Encrypted concept. Please follow below scenario.
I have created CMK (name - CMK_01) on Machine A under CurrentUser/My folder. By this way I have Always Encrypted certificate generated on Machine A which I have exported.
After this I have created CEK (name - CEK_01) from Machine A using this CMK (CMK_01).
After this I have created table (name - TBL_01) on Machine B and used this CEK_01 to encrypt its column (name – COL_01).
Now to test Always Encrypted concept I have installed Always Encrypted certificate on Machine B and applied Column Encryption Setting = Enabled in SSMS.
After doing this I am able to insert data with parameterized query in this table (TBL_01).
I queried on this table and I found that data is in decrypted form (i.e. plain text).
After this I queried on this table from Machine C without installing certificate and I found data is in encrypted form. So basically it works perfectly from db side.
This works based on certificate installed on individual machine and depends on folder in which it installed (Current or Local computer).
If Current then it works only for user which certificate is installed and if Local then works for all the users on that machine.
Now issue comes over here,
I tried to leverage this functionality to .NET side.
So I have included Column Encryption Setting = Enabled in connection string of .NET code.
And then I deployed .NET code on server machine (Machine D).
After this I have installed always encrypted certificate on one of the user machine (Machine E) under CurrentUser/My folder.
Now when user on Machine E is trying to see the data in UI, it is giving an error. Basically encryption does not work here.
To resolve this I have created new CMK (name – CMK_01) with same certificate key but path of CMK is under LocalMachine\My.
Then I have added this new CMK value in existing CEK (CEK_01).
So now basically we have 2 CMK - same certificate key with different path and 1 CEK with 2 different CMK values which means both CMK can access this CEK.
After this we installed Always Encrypted Certificate on IIS server (under LocalMachine\My path) where our code has been deployed (Machine D).
After this error has been removed but all the users who can login to that web page they can encrypt/decrypt data because we have installed certificate on IIS server (Machine D).
Now my ask is -
Is this our implementation correct?
Is this how Always Encrypted works? I mean can't we have individual user wise encryption and decryption by installing certificate on user's individual machine so who has that certificate access that user is only able to encrypt/decrypt data otherwise rest of the users who does not have that certificate those users can only see data in encrypted form on that web page?
My name is Hari varma, I am working as a SQL DBA.
Currently I am facing issues with Always Encryption in SQL Server 2017 Development Edition in our testing server.
I don't have any experience in Always Encryption and TDE. One of my client asked me to do encryption on database.
I have done some testing on Always Encryption and I was able to encrypt and decrypt the column data by using doing the following:
On the SQL Server instance
-->Options-->Additional connection Parameter-->Column Encryption Setting = Enabled
After I enabled the column encryption I am able to view the encrypted data in the table.
However I am not able to insert, update, and delete data in this encrypted column.
Also I need to be able to set permissions on users who are allowed / not allowed to view the data on this encrypted column.
Which permissions I need to give on a particular user and provide any prerequisites for Always Encryption and TDE.
First of all it's important to understand that your SQL Server instance does not know the keys used for encrypting and decrypting data when using Always Encrypted. The keys are kept externally, usually in a key store such as Windows Certificate Store or Azure Key Vault. This means that SQL Server itself cannot encrypt or decrypt the data - this instead has to be done by a client application that has access to the keys.
However I am not able to insert, update, and delete data in this encrypted column.
I assume you are attempting to insert, update, and delete data directly through SSMS or something similar. This is only possible to a limited extent. This is because SSMS (which is your client application in this case) needs to be able to encrypt the data before sending it to your SQL Server.
Read more about inserting data into columns that are encrypted via Always Encrypted in SQL Server here (using SSMS).
A brief summary of how to insert encrypted data via SSMS:
You need to enable the column encryption setting in your connection string. This is done under Options>>Additional Connection Parameters when you connect to your SQL Server instance in SSMS. Add this text in there: Column Encryption Setting=Enabled
Once you've connected to your database and opened a query window, you need to enable parameterization for always encrypted. This is done in SSMS under Query>>Query Options>>Execution>>Advanced>>Enable Parameterization for Always Encrypted.
When you've completed the two steps above you'll be able to insert data into an encrypted column like this:
DECLARE #ParameterToBeEncrypted NVARCHAR(100) = 'Decrypt me';
INSERT INTO dbo.MyTable(MyEncryptedColumn) VALUES (#ParameterToBeEncrypted);
This works because your client application (SSMS) is able to encrypt the value that you're initializing #ParameterToBeEncrypted with before sending it to SQL Server. This only works if your current user has access to the column encryption key. SQL Server will never see the plain/non-encrypted value ('Decrypt me') - it will only see the encrypted value that should be inserted into the encrypted column.
Which permissions I need to give on a particular user and provide any prerequisites for Always Encryption
It's a combination of permissions in SQL Server and being able to access the keys used for encrypting and decrypting the data. The necessary database permissions are VIEW ANY COLUMN MASTER KEY DEFINITION and VIEW ANY COLUMN ENCRYPTION KEY DEFINITION.
You can read more about the necessary permissions here.
If you want to encrypt a set of existing data in your database, then your best bet is to write your own client application (e.g. in C# or similar) or create a SSIS package (which would serve as a client application). The client application or SSIS package should read the data from the database, encrypt the data outside of the database, and then send it back to the database as encrypted data.
I am getting the following error when trying to deploy my SSRS reports on our SQL Server 2014 :
The report server cannot decrypt the symmetric key that is used to access sensitive or encrypted data in a report server database.
You must either restore a backup key or delete all encrypted content. (rsReportServerDisabled) Get Online Help Keyset does not exist (Exception from HRESULT: 0x80090016)
The report server cannot decrypt the symmetric key that is used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content.(rsReportServerDisabled)
Get Online Help Keyset does not exist (Exception from HRESULT: 0x80090016)
This means that the report server installation does not have the encryption key applied that allows it to access encrypted content in the database. If you have a backup of the current encryption key, you can apply it at the report server. I recommend determining what the likely cause is before acting. This is not something that I have found to just happen - there is usually some trigger, as discussed here.
I had a SQL database on a previous server, of which I had a master key and certificate creating using the following syntax:
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'AReallyReallyReallySecurePassword!!!!!'
CREATE CERTIFICATE CPCertificate01 WITH SUBJECT = 'CP Certificate'
CREATE SYMMETRIC KEY SSN_Key_01 WITH ALGORITHM = TRIPLE_DES ENCRYPTION BY CERTIFICATE CPCertificate01
I've done a backup of this database, and now restored it onto a new server (fresh install of SQL Server as well).
When I try to run commands against the database, I get this error:
Cannot find the symmetric key 'SSN_Key_01', because it does not exist
or you do not have permission.
However if I run this code...
select * from sys.symmetric_keys
...I can see SSN_Key_01 listed in the result set.
I also get other errors relating the master key not existing.
Can anyone please guide me as to how I can recreate the encryption settings on the new server without losing any of my data? I still have access to the old server if required. Thanks.
I have backed up an encrypted DB (symmetric key/certificate) and
restored it on a different server.
Unfortuantely we're having problems with the decryption... hoping
someone can help.
In the restored db, I can see the Symmetric Key and the Certificate in
SSMS, but when I try to Open the key using the cert ( open symmetric
key KeyA decryption by certificate CertB )I get the
following very descriptive error:
Msg 15466, Level 16, State 1, Line 1
An error occurred during decryption.
Any ideas?
Thanks in advance.
http://blogs.msdn.com/lcris/archive/2007/11/16/sql-server-2005-restoring-the-backup-of-a-database-that-uses-encryption.aspx answers this:
"When you restore a database that uses encryption features, there is only one thing you need to take care off - if the database master key (DbMK) needs a service master key (SMK) encryption, you need to regenerate this encryption. Note that this encryption is made by default when you create the DbMK, but it may be intentionally dropped, if you want tighter control of access to the encrypted data. Anyway, if you did have such SMK encryption for the DbMK, the steps to regenerate it are the following:
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'password'
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY
CLOSE MASTER KEY
That's it - the database encryption features should now work as when the backup was taken. Also note that it doesn't matter if you restore the database on the server where the backup was taken or elsewhere. The only thing that matters for this procedure is that you know one of the passwords protecting the DbMK "
The master key was decrypted by the service master key on the source server and we were decrypting the master key with password on the destination. I altered the master key to be decrypted by the service master key and it's working now.
The problem you are probably experiencing is that the Database Master Key for the servers is different. To my understanding the other keys are based off of this and it could cause problems when trying to decrypt the data. Check out the encryption hierarchy for a description of the steps that go into data encryption.
I hope this answer helps and isn't too off-track. :)
http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/thread/34c9c35c-2d08-4873-abfd-aae40240dfe7/?prof=required
That link worked for me, follow the 2 links to backup/restore
You can do the restore from the destination server using a UNC, you do not have to copy the file.