SQL database encryption and examples
From 2005 provides data encryption and decryption database level. This is achieved mainly in the following:
1, by using CONVERT to change the encoding:
Using this function to convert data into text or VARBINARY. But this way does not have the ability to protect data, prevent data only view of the process can be seen in the role of sensitive data directly.
2, using a symmetric key:
With EncryptByKey data encryption. Use DecryptByKey decrypt function. It's more suitable for large amounts of data. Because of the less symmetric key resource-intensive process.
3, the use of asymmetric keys:
With EncryptByAsymKey data encryption. Use DecryptByAsymKey decrypt function. Higher level of security for encryption and decryption of data. Because the consumption of resources called more.
4, the use of vouchers way:
EncryptByCert DecryptByCert with encryption and decryption functions. Comparative similar asymmetric key.
5, using the passphrase way:
With EncryptBypassPhrase encryption, decryption function using DecryptByPassPhrase. You can use a meaningful phrase or other data lines, as encryption, decryption key, more suitable for general data encryption and decryption.
Case:
1, Convert ways:
- a) USE tempdb
- b) GO
- c) CREATETABLE d) (
- e) userID INT f) userName VARCHAR g) userSalary FLOAT h) cyberalary NVARCHAR(MAX i) ) ;
- j)
- k) INSERT INTO l) (user name, userSalary)
- m) the VALUES 'taici' n-) ( 'Hailong' O) ( 'Meiyuan' P) --ALTER TABLE Test Q) --add userNewSalary VARBINARY (512) R & lt) - uses the conversion function to convert data into varbinary, change the encoding the way. S) the SELECT T) the CONVERT U) the FROM V) - to convert data int, and can restore the original encoding W) the SELECT X) CONVERTINT Y) the FROM2, the symmetric key:
- - Create a symmetric key b) USE AdventureWorks
- c) GO
- d) CREATEKEY e) WITHBYPASSWORD'P@ssw0rd' f) GO
- G) - Note: When enabled, you need to OPEN SYMMETRIC KEY key with password, otherwise the resulting data will be the null value. And requires a function used Key_GUID H) - Open the symmetric key I) the OPEN KEY BY PASSWORD'P ssw0rd @ ' J) - Data Encryption K) the SELECT ' SymKey123'CONVERTVARCHARmax L) the FROM m)
- n-) - After checking the length of the encrypted using DATALENGTH () function O) the SELECT 'SymKey123'CONVERTVARCHARMAX P) the FROM Q) the GO
- R & lt) - the updated encrypted data on another column of the original S) the UPDATE T) the SET 'SymKey123'CONVERTVARCHARmax U) - decryption: the decryption process also requires OPEN SYMMETRIC KEY, and the need to use DECRYPTBYKEY CONVERT functions and V) the OPEN KEY BY PASSWORD'P ssw0rd @ ' W)
- x) SELECTCONVERTVARCHARMAXCONVERTVARCHARMAX y) FROM3, asymmetric key:
- - asymmetric key using two different keys, the encryption is not needed to enter the pin, but it is necessary to decrypt b) USE AdventureWorks
- c) GO
- d) CREATEKEYWITHBYPASSWORD'P@ssw0rd' e) GO
- f)
- G) - Add a new data column stores an encrypted H) the ALTER TABLE the ADD MAX I) the GO
- J) - encrypting K) the SELECT 'AsymKey123'CONVERTVARCHARMAX L) the FROM m) the GO
- n)
- O) - the update data to a new column P) the UPDATE Q) the SET 'AsymKey123'CONVERTVARCHARMAX R & lt)
- s)
- t) SELECT--addressline3 u) FROM v)
- W) - decryption: this process must be used to decrypt the password, here to the same type of encryption, such as when using varchar encryption, and here it is not a nvarchar decrypted. X) the SELECT the TOP CONVERTVARCHARMAXCONVERT VARCHARMAX 'AsymKey123''P @ ssw0rd' the AS Y) the FROM4, certificate encryption:
- - Certificate Encryption: Firstly certificate (Certificate) B) the CREATE - certificate name C) the ENCRYPTION BY PASSWORD'P ssw0rd @ ' - Password D) the WITH ' the Address Certificate '- certificate described E) = START_DATE ' 2012/06 / 18 '- certificate commencement F) EXPIRY_DATE = ' 2013/06/18 ' - certificate expiry date g) GO
- H) - encrypted using a certificate I) the SELECT 'certKey123'CONVERT VARCHARMAX J) the FROM K)
- L) - Add a new row to store the encrypted data m) the ALTER TABLE the ADD MAX n-)
- O) - encrypted data into the new column P) the UPDATE Q) the SET 'certKey123'CONVERT VARCHARMAX R & lt)
- s) --解密 t) SELECTCONVERTVARCHARMAXCONVERTVARCHARMAX'certKey123''P@ssw0rd' u) FROM5, encryption phrase:
- - the phrase Encryption: The process is simple, just use EncryptByPassPhrase function, the use of the phrase encryption, data referenced navigation can not be changed, otherwise the decryption fails. B) the SELECT 'P @ ssw0rd'CONVERT C) the FROM D)
- E) - Add a new row to store data, note, ENCRYPTBYPASSPHRASE function returns VARBINARY type F) the ALTER TABLE the ADD G)
- H) - The data update process using P @ ssw0rd and data lines as AddressID passphrase i)
- j) UPDATE k) SET'P@ssw0rd'CONVERT l)
- m) SELECTFROMSecond problem: how to protect the database object definitions, to avoid excessive exposure to the occurrence of sensitive information?
General protective measures is subject to the encrypted using WITH ENCRYPTION when you create an object, so you can not view the definition. But the problem is that it became a problem for maintenance, backup and restore when it is part of the object will be lost.
One solution is to put the object definition statement extended attributes [] to save, this can solve the above problem.
Below is an example copy
- - 1, establishing an encrypted stored procedures
- USE AdventureWorks
- GO
- CREATE PROC test
- WITH ENCRYPTION
- AS
- SELECT SUSER_SNAME() ,
- USER_NAME()
- GO
- --2, removing the contents of the above definition, the phrase using encryption with an encryption function EncryptByPassPhrase, then with sys.sp_addextendedproperty stored procedure, specify a name extension.
- USE AdventureWorks
- GO
- DECLARE @sql VARCHAR(MAX)
- SET @sql = 'CREATE PROC Test WITH ENCRYPTION AS SELECT suer_sname(),user_name() GO'
- --3, converted to encrypted content data type sql_variant
- DECLARE @bsql SQL_VARIANT
- SET @bsql = ( SELECT CONVERT(SQL_VARIANT, ENCRYPTBYPASSPHRASE('P@ssw0rd',
- CONVERT(VARCHAR(MAX), @sql)))
- )
- --4, added to the extended attribute specifies the stored procedure:
- EXEC sys.sp_addextendedproperty @name = N'test定义', @value = N'System.Byte[]',
- @level0type = N'SCHEMA', @level0name = N'dbo', @level1type = N'PROCEDURE',
- @level1name = N'test'
- GO
- @ Sys.sp_addextendedproperty EXEC name = N 'Code Contents'
- @value = N'CREATE PROC Test WITH ENCRYPTION AS SELECT suer_sname(),user_name() GO',
- @level0type = N'SCHEMA', @level0name = N'dbo', @level1type = N'PROCEDURE',
- @level1name = N'test'
- GO
- --5, reduction
- DECLARE @pwd VARCHAR(100)= 'P@ssw0rd'
- - passphrase
- DECLARE @proc VARCHAR(100)= 'test'
- - stored procedure name
- @ExName NVARCHAR the DECLARE (100) = "Code Contents'
- - extended attribute name
- - the results of the original query
- SELECT value
- FROM sys.all_objects AS sp
- INNER JOIN sys.extended_properties AS P ON P.major_id = sp.object_id
- AND P.minor_id = 0
- AND P.class = 1
- WHERE ( P.name = @exName )
- AND ( ( sp.type = N'p'
- OR sp.type = N'rf'
- OR sp.type = 'pc'
- )
- AND ( sp.name = @proc
- AND SCHEMA_NAME(sp.schema_id) = N'dbo'
- )
- )