SQL Server certificate and symmetric key - sql-server

I had the need to encrypt/decrypt some personal information in my database such as credit card no and passwords.
Following the steps from Microsoft I was successfully encrypt & decrypt the data.
But after some test I have questions.
Assume someone gets unauthorized access to the database (hack) and can see the database in SSMS from his own computer. Surly he can see that I had some certificate and symmetric key setup.
In order to display the data the examples shows the following query
OPEN symmetric KEY symmetrickey1
decryption BY certificate certificate1
Now list the original ID, the encrypted ID
SELECT customer_id,
credit_card_number_encrypt AS
'Encrypted Credit Card Number',
CONVERT(VARCHAR, Decryptbykey(credit_card_number_encrypt)) AS
'Decrypted Credit Card Number'
FROM dbo.customer_data;
-- Close the symmetric key
CLOSE symmetric KEY symmetrickey1;
If the above query returns the data and can see the credit card how can then be protected? Shouldn't it be necessary to pass a password somewhere in the query?
I am sure that I miss something here. Can anyone explain this to me?

i had to include a password to the cerificate
CREATE CERTIFICATE Certificate1
Encryption By Password='Password123'
WITH SUBJECT = 'Protect Data'
for retrieving data
OPEN Symmetric KEY SymmetricKey1
DECRYPTION BY CERTIFICATE Certificate1 With Password='Password123'
;
select *,CONVERT(nvarchar(255),DECRYPTBYKEY(Credit_Card_No)) as
[Credit_Card_No3] from Customers
;
Close Symmetric Key SymmetricKey1

Related

Column level Encryption/Decryption is not working after copying data from one database to another database and restored keys and certificates

I have copied encrypted tables data (on column level) from database A to database B within the same server and followed below steps while creating and restoring keys and certificates, but column level decryption is not working in Database B.
Eg: In Database A, table name is "employee" and encrypted column name is "emp_id_proof". Now I have created the same "employee" table copy in database B from database A within the same server and restored certificates and keys in new databases but I am not able to decrypt "emp_id_proof" column data in Database B.
1) Steps to create master key, certificate and symmetric key in database A
USE DatabaseA
go
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyStrongPWD#2022'
go
CREATE CERTIFICATE Certificate_test WITH SUBJECT = 'Protect my data'
go
CREATE SYMMETRIC KEY SymKey01 WITH
KEY_SOURCE = 'SymKey01KeySource',
ALGORITHM = AES_256 ,
IDENTITY_VALUE = 'SymKey01IdentityValue'
ENCRYPTION BY CERTIFICATE Certificate_test
go
2) Steps for backup of master key and certificate in database A
USE DatabaseA
go
BACKUP MASTER KEY TO FILE = 'C:\Users\Administrator\Desktop\ENCRYPTION\ExportMasterkey'
ENCRYPTION BY PASSWORD = 'abc#2022'
go
BACKUP CERTIFICATE Certificate_test TO FILE = 'C:\Users\Administrator\Desktop\ENCRYPTION\ExportCert'
WITH PRIVATE KEY ( FILE = 'C:\Users\Administrator\Desktop\ENCRYPTION\ExportCertPK' ,
ENCRYPTION BY PASSWORD = 'xyz#2022' )
go
3) Steps for restoration/creation of master key,certificate and symmetric key in Database B
USE DatabaseB
go
RESTORE MASTER KEY
FROM FILE = 'C:\Users\Administrator\Desktop\ENCRYPTION\ExportMasterkey'
DECRYPTION BY PASSWORD = 'abc#2022'
ENCRYPTION BY PASSWORD = 'MyStrongPWD#2022'
go
CREATE CERTIFICATE [Certificate_test]
FROM FILE = 'C:\Users\Administrator\Desktop\ENCRYPTION\ExportCert'
WITH PRIVATE KEY (FILE = 'C:\Users\Administrator\Desktop\ENCRYPTION\ExportCertPK',
DECRYPTION BY PASSWORD = 'xyz#2022')
go
CREATE SYMMETRIC KEY SymKey01 WITH
KEY_SOURCE = 'SymKey01KeySource',
ALGORITHM = AES_256 ,
IDENTITY_VALUE = 'SymKey01IdentityValue'
ENCRYPTION BY CERTIFICATE Certificate_test
go
Could you please let me know what went wrong??
Also let me know the steps if I have to copy encrypted columns data from one server to another server database.

Get key name in an existing provider

I want to find out what key name provided from an external provider my database is using in an encrypted database.
This is an example taken from Microsoft website.
CREATE ASYMMETRIC KEY EKM_askey1
FROM PROVIDER EKM_Provider1
WITH
ALGORITHM = RSA_2048,
CREATION_DISPOSITION = CREATE_NEW
, PROVIDER_KEY_NAME = 'key10_user1' ;
GO
But I don't know how to learn whether this is CREATE_NEW or OPEN_EXISTING and have no clue what view contains information about this key10_user1 as mentioned in the example.
Could you try:
SELECT * FROM sys.cryptographic_providers;
to get the provider id and then query using sys.dm_cryptographic_provider_keys:
SELECT * FROM sys.dm_cryptographic_provider_keys(1234567);
GO

Can't insert encrypted data?

I'm trying to insert encrypted data into my SQL Server table. First step, I created a master key, a certificate and a private key:
CREATE MASTER KEY
ENCRYPTION BY PASSWORD = 'PASSWORD#123'
GO
CREATE CERTIFICATE ElipseCert
ENCRYPTION BY PASSWORD = 'SENHA#123'
WITH SUBJECT = 'Certificado Senha Usuario'
GO
CREATE SYMMETRIC KEY KeyElipse
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE ElipseCert
GO
After I tried to insert data:
OPEN SYMMETRIC KEY KeyElipse
DECRYPTION BY CERTIFICATE ElipseCert
DECLARE #GUID UNIQUEIDENTIFIER = (SELECT KEY_GUID('KeyElipse'))
INSERT INTO Usuario VALUES ('FONSECA', ENCRYPTBYKEY(#GUID, 'Abcd1234'))
GO
SELECT * FROM Usuario
CLOSE SYMMETRIC KEY KeyElipse
But when I executed the code returns me:
The certificate has a private key that is protected by a user defined password. That password needs to be provided to enable the use of the private key.
What's wrong?
Thanks a lot!
The certificate has a private key that is protected by a user defined password. That password needs to be provided to enable the use of the private key
So provide the password, replace this code
OPEN SYMMETRIC KEY KeyElipse
DECRYPTION BY CERTIFICATE ElipseCert
with this one
OPEN SYMMETRIC KEY KeyElipse
DECRYPTION BY CERTIFICATE ElipseCert WITH PASSWORD = 'SENHA#123';

JPA and SQL Server column encryption

I'm using WebSphere 7 and their JPA 2.0 implementation which is based on OpenJPA, and I have something driving me crazy. I have to connect to a SQL Server 2008 database that uses the database column encryption. The encryption is done by several database commands:
1 - OPEN SYMMETRIC KEY DECRYPTION BY CERTIFICATION
2 - Perform insert/select/update/etc using the database methods EncryptByKey or DecryptByKey
3 - CLOSE SYMMETRIC KEY
I have searched and it does not appear that OpenJPA supports this functionality. Does anybody know how to get OpenJPA to play nicely with this type of encryption? Or should I just skip JPA for this project and use good old fashioned PreparedStatements?
So yeah, it does look like doing a native query is only way to do this. So it comes out to something like this:
EntityManager em = getEntityManager();
Query openKey = em.createNativeQuery("OPEN SYMMETRIC KEY MY_KEY DECRYPTION BY CERTIFICATE MY_CERT");
openKey.executeUpdate();
Query query = em.createNativeQuery("SELECT FIRSTNAME, LASTNAME, CONVERT(varchar, DECRYPTBYKEY(SSN)) as SSN from report where record_id = ?", Report.class);
query.setParameter(1, recordId);
report = (Report) query.getSingleResult();
Query closeKey = em.createNativeQuery("CLOSE SYMMETRIC KEY MY_KEY");
closeKey.executeUpdate();

having problems trying to restore encrypted database

Im trying to copy an encrypted database from the default server to my server for testing purposes
but im having troubles doing so because i have never done it
so im going to explain my procedure and the errors i got
first i create a master key :
USE master
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD ='DB-PaSSw0rD'
GO
all is good for now :
Command(s) completed successfully.
then i create a certificate by importing the certificate created on the default server:
CREATE CERTIFICATE TDECERT
FROM FILE = 'C:\temp\TDECert.cer'
WITH PRIVATE KEY (FILE = 'C:\temp\TDECertKey.pvk' ,
DECRYPTION BY PASSWORD ='pAssW0rD')
GO
but i get :
Msg 15581, Level 16, State 1, Line 1
Please create a master key in the database or open the master key in the session before performing this operation.
to resolve this i try to open the master key:
OPEN MASTER KEY DECRYPTION BY PASSWORD ='DB-PaSSw0rD'
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY
but i get :
Cannot find the symmetric key 'master key', because it does not exist or you do not have permission.
then to resolve this second issue i try to grant it access:
GRANT CONTROL ON CERTIFICATE :: TDECERT To Administrator
but i get :
Cannot find the certificate 'TDECERT', because it does not exist or you do not have permission.
thanks in advance for ur time
problem solved
all i had to do is add
USE master
before
CREATE CERTIFICATE TDECERT
FROM FILE = 'C:\temp\TDECert.cer'
WITH PRIVATE KEY (FILE = 'C:\temp\TDECertKey.pvk' ,
DECRYPTION BY PASSWORD ='pAssW0rD')
GO
and didnt need anything else
that easy!

Resources