6

我使用下一个代码来创建 SQL 加密密钥

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<Pass>'
CREATE CERTIFICATE MyEncryptCert WITH SUBJECT = 'Descryption', EXPIRY_DATE = '2115-1-1'
CREATE SYMMETRIC KEY MySymmetricKey WITH ALGORITHM = AES_256 ENCRYPTION BY CERTIFICATE MyEncryptCert

我如何加密数据

OPEN SYMMETRIC KEY MySymmetricKey DECRYPTION BY CERTIFICATE MyEncryptCert
SET @Result = ENCRYPTBYKEY(KEY_GUID('MySymmetricKey'), '<String to encrypt>')
CLOSE SYMMETRIC KEY MySymmetricKey

我能够备份数据库主密钥和证书。

BACKUP MASTER KEY TO FILE = 'c:\temp\key' ENCRYPTION BY PASSWORD = '<Pass>';
BACKUP CERTIFICATE MyEncryptCert TO FILE = 'c:\temp\cert' WITH PRIVATE KEY(ENCRYPTION BY PASSWORD='<Pass>', FILE='C:\temp\cert.pvk')

但我无法备份对称密钥。没有它,如果我将加密表移动到另一个数据库,我将无法解密加密数据。

有什么解决办法吗?

PS我尝试了下一个代码,但对我来说似乎不安全,因为如果您知道 KEY_SOURCE 和 IDENTITY_VALUE 您实际上不需要原始数据库主密钥和证书来解密数据

CREATE SYMMETRIC KEY MySymmetricKey WITH KEY_SOURCE = '<Pass1>', ALGORITHM = AES_256, IDENTITY_VALUE = '<Pass2>' ENCRYPTION BY CERTIFICATE MyEncryptCert
4

2 回答 2

6

如果您需要能够复制对称密钥,您应该提供KEY_SOURCEIDENTITY_VALUE. 您的评估是正确的,因为通过了解这两个值,您可以重新创建密钥。观察下面的代码,它表明我可以通过使用“第一个”密钥加密一个值,删除密钥,使用相同的KEY_SOURCEand重新生成它IDENTITY_VALUE,然后解密加密的值来创建两次相同的密钥。

CREATE SYMMETRIC KEY MySymmetricKey WITH 
    KEY_SOURCE = '<Pass1>', 
    ALGORITHM = AES_256, 
    IDENTITY_VALUE = '<Pass2>' 
    ENCRYPTION BY Password = 'foobar!23'

open symmetric key MySymmetricKey
    decryption by password = 'foobar!23';
declare @encrypted varbinary(max);
select @encrypted = ENCRYPTBYKEY(KEY_GUID('MySymmetricKey'), 'my secrets!');

close symmetric key MySymmetricKey;
drop symmetric key MySymmetricKey;

CREATE SYMMETRIC KEY MySymmetricKey WITH 
    KEY_SOURCE = '<Pass1>', 
    ALGORITHM = AES_256, 
    IDENTITY_VALUE = '<Pass2>' 
    ENCRYPTION BY Password = 'foobar!23'

open symmetric key MySymmetricKey
    decryption by password = 'foobar!23';

select cast(DECRYPTBYKEY(@encrypted) as varchar(max))
close symmetric key MySymmetricKey;
drop symmetric key MySymmetricKey;
于 2016-12-08T06:14:23.140 回答
2

你不能。

如另一个答案中所述,可以使用相同的参数重新创建相同的对称密钥,但这在不同版本的 SQL Server 之间不起作用。

于 2019-05-29T15:35:09.760 回答