Im trying to copy an encrypted database from the default server to my server for testing purposes
but im having troubles doing so because i have never done it
so im going to explain my procedure and the errors i got
first i create a master key :
USE master
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD ='DB-PaSSw0rD'
GO
all is good for now :
Command(s) completed successfully.
then i create a certificate by importing the certificate created on the default server:
CREATE CERTIFICATE TDECERT
FROM FILE = 'C:\temp\TDECert.cer'
WITH PRIVATE KEY (FILE = 'C:\temp\TDECertKey.pvk' ,
DECRYPTION BY PASSWORD ='pAssW0rD')
GO
but i get :
Msg 15581, Level 16, State 1, Line 1
Please create a master key in the database or open the master key in the session before performing this operation.
to resolve this i try to open the master key:
OPEN MASTER KEY DECRYPTION BY PASSWORD ='DB-PaSSw0rD'
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY
but i get :
Cannot find the symmetric key 'master key', because it does not exist or you do not have permission.
then to resolve this second issue i try to grant it access:
GRANT CONTROL ON CERTIFICATE :: TDECERT To Administrator
but i get :
Cannot find the certificate 'TDECERT', because it does not exist or you do not have permission.
thanks in advance for ur time
problem solved
all i had to do is add
USE master
before
CREATE CERTIFICATE TDECERT
FROM FILE = 'C:\temp\TDECert.cer'
WITH PRIVATE KEY (FILE = 'C:\temp\TDECertKey.pvk' ,
DECRYPTION BY PASSWORD ='pAssW0rD')
GO
and didnt need anything else
that easy!
Related
I have copied encrypted tables data (on column level) from database A to database B within the same server and followed below steps while creating and restoring keys and certificates, but column level decryption is not working in Database B.
Eg: In Database A, table name is "employee" and encrypted column name is "emp_id_proof". Now I have created the same "employee" table copy in database B from database A within the same server and restored certificates and keys in new databases but I am not able to decrypt "emp_id_proof" column data in Database B.
1) Steps to create master key, certificate and symmetric key in database A
USE DatabaseA
go
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyStrongPWD#2022'
go
CREATE CERTIFICATE Certificate_test WITH SUBJECT = 'Protect my data'
go
CREATE SYMMETRIC KEY SymKey01 WITH
KEY_SOURCE = 'SymKey01KeySource',
ALGORITHM = AES_256 ,
IDENTITY_VALUE = 'SymKey01IdentityValue'
ENCRYPTION BY CERTIFICATE Certificate_test
go
2) Steps for backup of master key and certificate in database A
USE DatabaseA
go
BACKUP MASTER KEY TO FILE = 'C:\Users\Administrator\Desktop\ENCRYPTION\ExportMasterkey'
ENCRYPTION BY PASSWORD = 'abc#2022'
go
BACKUP CERTIFICATE Certificate_test TO FILE = 'C:\Users\Administrator\Desktop\ENCRYPTION\ExportCert'
WITH PRIVATE KEY ( FILE = 'C:\Users\Administrator\Desktop\ENCRYPTION\ExportCertPK' ,
ENCRYPTION BY PASSWORD = 'xyz#2022' )
go
3) Steps for restoration/creation of master key,certificate and symmetric key in Database B
USE DatabaseB
go
RESTORE MASTER KEY
FROM FILE = 'C:\Users\Administrator\Desktop\ENCRYPTION\ExportMasterkey'
DECRYPTION BY PASSWORD = 'abc#2022'
ENCRYPTION BY PASSWORD = 'MyStrongPWD#2022'
go
CREATE CERTIFICATE [Certificate_test]
FROM FILE = 'C:\Users\Administrator\Desktop\ENCRYPTION\ExportCert'
WITH PRIVATE KEY (FILE = 'C:\Users\Administrator\Desktop\ENCRYPTION\ExportCertPK',
DECRYPTION BY PASSWORD = 'xyz#2022')
go
CREATE SYMMETRIC KEY SymKey01 WITH
KEY_SOURCE = 'SymKey01KeySource',
ALGORITHM = AES_256 ,
IDENTITY_VALUE = 'SymKey01IdentityValue'
ENCRYPTION BY CERTIFICATE Certificate_test
go
Could you please let me know what went wrong??
Also let me know the steps if I have to copy encrypted columns data from one server to another server database.
I am trying to load data from a CSV file to a table in my Azure Database following the steps in https://learn.microsoft.com/en-us/sql/t-sql/statements/bulk-insert-transact-sql?view=sql-server-ver15#f-importing-data-from-a-file-in-azure-blob-storage, using the Managed Identity option. When I run the query, I receive this error:
Failed to execute query. Error: Referenced external data source "adfst" not found.
This is the name of the container I created within my storage account. I have also tried using my storage account, with the same error. Reviewing https://learn.microsoft.com/en-us/sql/relational-databases/import-export/examples-of-bulk-access-to-data-in-azure-blob-storage?view=sql-server-ver15 does not provide any further insight as to what may be causing the issue. My storage account does not have public (anonymous) access configured.
I'm assuming that I'm missing a simple item that would resolve this issue, but I can't figure out what it is. My SQL query is below, modified to not include content that should not be required.
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '**************';
GO
CREATE DATABASE SCOPED CREDENTIAL msi_cred WITH IDENTITY = '***********************';
CREATE EXTERNAL DATA SOURCE adfst
WITH ( TYPE = BLOB_STORAGE,
LOCATION = 'https://**********.blob.core.windows.net/adfst'
, CREDENTIAL= msi_cred
);
BULK INSERT [dbo].[Adventures]
FROM 'Startracker_scenarios.csv'
WITH (DATA_SOURCE = 'adfst');
If you want to use Managed Identity to access Azure Blob storage when you run BULK INSERT command. You need to enable Managed Identity for the SQL server. Otherwise, you will get the error Referenced external data source "***" not found. Besides, you also need to assign Storage Blob Data Contributor to the MSI. If you do not do that, you cannot access the CVS file storing in Azure blob
For example
Enable Managed Identity for the SQL server
Connect-AzAccount
#Enable MSI for SQL Server
Set-AzSqlServer -ResourceGroupName your-database-server-resourceGroup -ServerName your-SQL-servername -AssignIdentity
Assign role via Azure Portal
Under your storage account, navigate to Access Control (IAM), and select Add role assignment. Assign Storage Blob Data Contributor RBAC role to the server which you've registered with Azure Active Directory (AAD)
Test
a. Data
1,James,Smith,19750101
2,Meggie,Smith,19790122
3,Robert,Smith,20071101
4,Alex,Smith,20040202
b. script
CREATE TABLE CSVTest
(ID INT,
FirstName VARCHAR(40),
LastName VARCHAR(40),
BirthDate SMALLDATETIME)
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'YourStrongPassword1';
GO
--> Change to using Managed Identity instead of SAS key
CREATE DATABASE SCOPED CREDENTIAL msi_cred WITH IDENTITY = 'Managed Identity';
GO
CREATE EXTERNAL DATA SOURCE MyAzureBlobStorage
WITH ( TYPE = BLOB_STORAGE,
LOCATION = 'https://jimtestdiag417.blob.core.windows.net/test'
, CREDENTIAL= msi_cred
);
GO
BULK INSERT CSVTest
FROM 'mydata.csv'
WITH (
FIELDTERMINATOR = ',',
ROWTERMINATOR = '\n',
DATA_SOURCE = 'MyAzureBlobStorage');
GO
select * from CSVTest;
GO
I want to find out what key name provided from an external provider my database is using in an encrypted database.
This is an example taken from Microsoft website.
CREATE ASYMMETRIC KEY EKM_askey1
FROM PROVIDER EKM_Provider1
WITH
ALGORITHM = RSA_2048,
CREATION_DISPOSITION = CREATE_NEW
, PROVIDER_KEY_NAME = 'key10_user1' ;
GO
But I don't know how to learn whether this is CREATE_NEW or OPEN_EXISTING and have no clue what view contains information about this key10_user1 as mentioned in the example.
Could you try:
SELECT * FROM sys.cryptographic_providers;
to get the provider id and then query using sys.dm_cryptographic_provider_keys:
SELECT * FROM sys.dm_cryptographic_provider_keys(1234567);
GO
I'm trying to insert encrypted data into my SQL Server table. First step, I created a master key, a certificate and a private key:
CREATE MASTER KEY
ENCRYPTION BY PASSWORD = 'PASSWORD#123'
GO
CREATE CERTIFICATE ElipseCert
ENCRYPTION BY PASSWORD = 'SENHA#123'
WITH SUBJECT = 'Certificado Senha Usuario'
GO
CREATE SYMMETRIC KEY KeyElipse
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE ElipseCert
GO
After I tried to insert data:
OPEN SYMMETRIC KEY KeyElipse
DECRYPTION BY CERTIFICATE ElipseCert
DECLARE #GUID UNIQUEIDENTIFIER = (SELECT KEY_GUID('KeyElipse'))
INSERT INTO Usuario VALUES ('FONSECA', ENCRYPTBYKEY(#GUID, 'Abcd1234'))
GO
SELECT * FROM Usuario
CLOSE SYMMETRIC KEY KeyElipse
But when I executed the code returns me:
The certificate has a private key that is protected by a user defined password. That password needs to be provided to enable the use of the private key.
What's wrong?
Thanks a lot!
The certificate has a private key that is protected by a user defined password. That password needs to be provided to enable the use of the private key
So provide the password, replace this code
OPEN SYMMETRIC KEY KeyElipse
DECRYPTION BY CERTIFICATE ElipseCert
with this one
OPEN SYMMETRIC KEY KeyElipse
DECRYPTION BY CERTIFICATE ElipseCert WITH PASSWORD = 'SENHA#123';
I had the need to encrypt/decrypt some personal information in my database such as credit card no and passwords.
Following the steps from Microsoft I was successfully encrypt & decrypt the data.
But after some test I have questions.
Assume someone gets unauthorized access to the database (hack) and can see the database in SSMS from his own computer. Surly he can see that I had some certificate and symmetric key setup.
In order to display the data the examples shows the following query
OPEN symmetric KEY symmetrickey1
decryption BY certificate certificate1
Now list the original ID, the encrypted ID
SELECT customer_id,
credit_card_number_encrypt AS
'Encrypted Credit Card Number',
CONVERT(VARCHAR, Decryptbykey(credit_card_number_encrypt)) AS
'Decrypted Credit Card Number'
FROM dbo.customer_data;
-- Close the symmetric key
CLOSE symmetric KEY symmetrickey1;
If the above query returns the data and can see the credit card how can then be protected? Shouldn't it be necessary to pass a password somewhere in the query?
I am sure that I miss something here. Can anyone explain this to me?
i had to include a password to the cerificate
CREATE CERTIFICATE Certificate1
Encryption By Password='Password123'
WITH SUBJECT = 'Protect Data'
for retrieving data
OPEN Symmetric KEY SymmetricKey1
DECRYPTION BY CERTIFICATE Certificate1 With Password='Password123'
;
select *,CONVERT(nvarchar(255),DECRYPTBYKEY(Credit_Card_No)) as
[Credit_Card_No3] from Customers
;
Close Symmetric Key SymmetricKey1