Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12345»»»

Encrypt SSN Example (TDE) Expand / Collapse
Author
Message
Posted Tuesday, July 15, 2014 1:51 PM


SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Wednesday, September 17, 2014 7:44 PM
Points: 4,240, Visits: 4,284
GilaMonster (7/15/2014)
No. T-SQL, with the T-SQL encryption functions like EncrypByKey and DecryptByKey, or whichever of the similar functions you identify as meeting your requirements for protection, key management and all the rest of the admin around encryption.

You certainly can do it in .Net if you want with whatever the .Net encryption functions are.


Thank you very much!

So I can do it in T-SQL?

Do you have an example where you had to encrypt and decrypt the SSN or TAX ID Number please.

The following article threw me off.


http://msdn.microsoft.com/en-us/library/ms174361.aspx


For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/

For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Post #1592785
Posted Tuesday, July 15, 2014 1:57 PM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Yesterday @ 3:43 PM
Points: 42,944, Visits: 36,206
That's the exact article I would have given you as an example. See the other examples that it links to.

Bear in mind this isn't something you implement without a fair amount of thought, consideration and design. Otherwise you can end up compromising performance without actually gaining anything security-wise. You also need to have analysed threats and identified exactly what you're trying to protect against.



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #1592788
Posted Tuesday, July 15, 2014 2:03 PM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Today @ 2:08 PM
Points: 23,291, Visits: 32,260
First entry when I used BING on the phrase encryptbykey sql server 2008.

http://msdn.microsoft.com/en-us/library/ms174361.aspx

EDIT: Sorry, same link you posted except you link is broken. It went nowhere when I clicked on it. I had to copy it from an editable page to see where it went.



Lynn Pettis

For better assistance in answering your questions, click here
For tips to get better help with Performance Problems, click here
For Running Totals and its variations, click here or when working with partitioned tables
For more about Tally Tables, click here
For more about Cross Tabs and Pivots, click here and here
Managing Transaction Logs

SQL Musings from the Desert Fountain Valley SQL (My Mirror Blog)
Post #1592791
Posted Tuesday, July 15, 2014 4:14 PM


SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Wednesday, September 17, 2014 7:44 PM
Points: 4,240, Visits: 4,284
GilaMonster (7/15/2014)
That's the exact article I would have given you as an example. See the other examples that it links to.

Bear in mind this isn't something you implement without a fair amount of thought, consideration and design. Otherwise you can end up compromising performance without actually gaining anything security-wise. You also need to have analysed threats and identified exactly what you're trying to protect against.



ok, I need to find a link for dummies. One that has an example of encrypting and decrypting the same column.

Sorry.

Has anyone done this? Does anyone have any code that they can share?

Thank you.


For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/

For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Post #1592848
Posted Tuesday, July 15, 2014 4:42 PM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Yesterday @ 3:43 PM
Points: 42,944, Visits: 36,206
Welsh Corgi (7/15/2014)
One that has an example of encrypting and decrypting the same column.


You don't encrypt columns. Get that idea out of your head, it's probably causing your confusion. There is nothing special about the column. It is not flagged as encrypted, it is not a special data type or setting. It is a stock-standard varbinary column.

You encrypt data when you insert it. So as part of your insert statement.
You decrypt data when you retrieve it. So as part of your select statement.




Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #1592852
Posted Tuesday, July 15, 2014 6:03 PM


SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Wednesday, September 17, 2014 7:44 PM
Points: 4,240, Visits: 4,284
ok a lot to ask but do you have a simple example?

For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/

For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Post #1592865
Posted Tuesday, July 15, 2014 10:03 PM


SSCrazy Eights

SSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy Eights

Group: General Forum Members
Last Login: Today @ 9:11 AM
Points: 8,844, Visits: 9,406
OK, here is the really really simple guide to how to do it:-

First create a certificate, access to which represents permission to decrypt the SSN column; lets call it SSN_Cert.
Then create a symmetric key to do the encryption and decryption with; lets call it SSNKEY.

Let's pretend you have only two columns in your table just to make the example nice and simple;
the columns are called full_name and encodedSSN and the table is called Name_and_SSN

before you insert or read or update an encrypted SSN you open the key:-
OPEN SYMMETRIC KEY SSNKEY DECRYPTION BY CERTIFICATE SSN_Cert;

once you have the key opened, with the name and the SSN in variables @name and @ssn you can
insert into the table by
INSERT Name_and_SSN(full_name,encodedSSN) 
values(@name, EncryptByKey(Key_GUID('SSNKEY'), convert(varbinary(128), @ssn)));

update an SSN by
UPDATE Name_and_SSN 
SET encodedSSN = EncryptByKey(Key_GUID('SSNKEY'), convert(varbinary(128), @ssn))
where full_name = @name;

read and decrypt an SSN by
SELECT CONVERT(varchar(128), DecryptByKey(encodedSSN)) as Plaintext_SSN
FROM SSN_CERT where full_name = @name;

edit: don't forget that you must give only people who should be able to see the SSNs access to the certificate. And that all insertions and updates to that column have to use the encryption function.


Tom
Post #1592895
Posted Tuesday, July 15, 2014 10:35 PM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 1:27 PM
Points: 2,005, Visits: 5,207
Here is an example of encryption - decryption of an XML node, the principle is the same for a column.
Post #1592899
Posted Tuesday, July 15, 2014 11:07 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Yesterday @ 8:14 PM
Points: 36,977, Visits: 31,665
Welsh Corgi (7/15/2014)
GilaMonster (7/15/2014)
That's the exact article I would have given you as an example. See the other examples that it links to.

Bear in mind this isn't something you implement without a fair amount of thought, consideration and design. Otherwise you can end up compromising performance without actually gaining anything security-wise. You also need to have analysed threats and identified exactly what you're trying to protect against.



ok, I need to find a link for dummies. One that has an example of encrypting and decrypting the same column.

Sorry.

Has anyone done this? Does anyone have any code that they can share?

Thank you.


The link you posted (although non-functional) is the best one I can find.

Welsh Corgi (7/15/2014)
ok a lot to ask but do you have a simple example?


With the understanding that I've only ever needed to do what some folks refer to as "1 way encryption" (salted hashes, really) and have never had to support decryption, I found that same link independently, which appears to be the "dummies" version that we've both been looking for.

One of the keys to understanding the example (which is titled "Encrypt a Column of Data") going back and comparing the parameters of the encryption and decryption functions to what's in the code. The example given also has womb-to-tomb functionality in that it demonstrates how to make the certificate, do the encryption, and do the decryption.
http://msdn.microsoft.com/en-us/library/ms179331.aspx

Any example I could write would pale in comparison. All you need to do is select your own passwords and understand that CardNumber and CardNumber_Encrypted are the columns of interest where CardNumber would be your plain text and CardNumber_Encrypted would be your encrypted SSN column. Once you've verified that the encryption worked, you would just drop the plain text SSN column.

Make a partial copy of your original table to test on and give it a shot.

In the meantime, I'll build some test data and play with it as I've suggested to you because I've always wanted to learn this well enough to actually do it myself. Don't wait for me, though... give it a try yourself. I take way too long analyzing everything that happened before I post to be of any practical use to you.

There is a CON to doing this in the database once the column has been encrypted. If you continue to do it in T-SQL, that means the app will pass it in plain text to the server. Someone could intercept the info between the app and the server. It would be better if the app did the encryption once the data in the column had been encrypted.


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1592903
Posted Wednesday, July 16, 2014 12:01 AM


SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Wednesday, September 17, 2014 7:44 PM
Points: 4,240, Visits: 4,284
Wow. I appreciate the help.

You are all awesome.



For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/

For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Post #1592916
« Prev Topic | Next Topic »

Add to briefcase ««12345»»»

Permissions Expand / Collapse