Annual change to encryption certificates and key - How to


i have been tasked change encryption keys greatest extent possible without decrypting , re-encrypting existing column values.  i realize believe should not required, unless comprise suspected, have nonetheless been tasked it.  we use column-level encryption , we're running sql 2014 standard edition.

certificates , key created, , used shown code below, names , other unique string changed.

references changing key address tde, , not in use.  i understand change in symmetric key require decryption current key , re-encryption new key, , can regenerate database master key used encrypt certname certificate.  however, looking @ values in sys.certificates, not appear certname certificate affected.

guess question is, regeneration of database master key cause re-encryption of certificate in database in way not apparent, , symmetric key encrypted re-encrypted?  if not, steps can take rotate certificates , key in way not require decryption , re-encryption of existing data?

in advance advice ou can offer.


creation:

create master key encryption password = 'strongpassword';

create certificate certname
subject = 'certificate encrypt , decrypt';

create symmetric key keyname
algorithm = aes_256,
key_source = 'long sentence',
identity_value = 'long sentence'
encryption certificate certname;

open keyname decription certificate certname;

usage:

encryptbykey(key_guid('keyname'), @email_addr)

select convert(varchar(250), decryptbykeyautocert(cert_id('certname'), null, email_addr))

hi byron,

according knowledge,  regeneration of database master key recreate certificates protects. certificate first decrypted old master key, , encrypted new master key. in addition, regeneration of database master key won’t cause decryption , re-encryption of symmetric key since symmetric key encrypted certificate, not database master key.

for certificate rotation without decryption , re-encryption of existing data, perform following steps example.

1.open symmetric key 'keyname' following statement.

open symmetric key keyname decryption certificate certname

2.create temporary certificate 'certtmp' , encrypt key 'keyname' following statement.

create certificate certtmp subject = 'temporary certificate protecting keyname'

alter symmetric key keyname add encryption certificate certtmp

3.drop old encryption certificate 'certname' , certificate 'certname' following statement.

alter symmetric key keyname drop encryption certificate certname

drop certificate certname

4.create new certificate old certificate name 'certname' following statement.

create certificate certname subject = 'certificate protecting keyname of version 2'

alter symmetric key keyname add encryption certificate certname

5.drop encryption certificate 'certtmp' , certificate 'certtmp' following statement.

alter symmetric key keyname drop encryption certificate certtmp

drop certificate certtmp

6.close opened keys following statement.

close symmetric keys

regards,
michelle li



SQL Server  >  SQL Server Security



Comments

Post a Comment

Popular posts from this blog

BIT Version

  hi,     knows how find out ther bit version in sql  , windows os (32 or 64)   regards, s.balavenkatesh   microsoft sql server 2005 - 9.00.1399.06 (intel x86) oct 14 2005 00:33:37 copyright (c) 1988-2005 microsoft corporation standard edition on windows nt 5.2 (build 3790: service pack 2)     intel x86)   -- says sql server 32 bit   madhu SQL Server  >  SQL Server Tools
Read more

SQL server replication error Cannot find the dbo or user defined function........

hi there, i ran problem while deploying sql 2008 transactional replication between 2 servers lets assume server , b. actually created  both distributor , publisher on server , after created subscriber pointed server b, launch replication monitor , found big red cross. when click on tab "distributor subscriber history" error says "cannot find either column "dbo" or user defined-function or aggregate "dbo.ufnleadingzeros", or name ambiguous". can body regarding issue. regards, ishuv hi, you need compare data , others reseved, index size, unused should not compared. differs. here server - data - 87896 kb server b - data - 78152 kb server data size includes publication tables, can't compare directly. need check article article know exact data size. SQL Server  >  ...
Read more

Admin Permissions

hi need create new 'role' following permissions, 1. access sql server logs. 2. access maintenance plans ( can avoid access) 3. access activity monitor 4. normal access product databases , not system db´s need guidance on how it, can point me in right direction please? thanks 1.grant  execute on xp_readerrorlog [domainname\ad user or group]; 2. http://technet.microsoft.com/en-us/library/ms191002.aspx 3.view server state permission 4. make user member of dbo_owner database role. best regards,uri dimant sql server mvp, http://sqlblog.com/blogs/uri_dimant/ ms sql optimization: ms sql development , optimization ms sql consulting: large scale of database , data cleansing remote dba services: improves ms sql database performance sql server integration services: business intelligence SQL Server  >  ...
Read more