Secure Storage

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQLServerCentral.com » Editorials » Secure Storage

21 posts, Page 1 of 3

1 2 3 »»»

Secure Storage

Rate Topic

Display Mode

Topic Options

Author

Message

Steve Jones - SSC Editor

Posted Tuesday, April 28, 2009 10:59 PM

SSC-Dedicated

Group: Administrators
Last Login: Today @ 6:14 PM
Points: 31,421, Visits: 13,734

Comments posted to this topic are about the item Secure Storage

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #706472

Bill Wunder

Posted Tuesday, April 28, 2009 11:20 PM

Grasshopper

Group: General Forum Members
Last Login: Tuesday, August 02, 2011 8:13 AM
Points: 19, Visits: 146

I believe the guidance is to store the key export and the password in different locations and to store both on site and off site.

How about storing the export in VARBINARY(MAX) in TDE encrypted database that has only DBA access? and then store the password in an an encrypted column, perhaps on a another SQL Instance. This would be relatively easy to automate.

This is how I had planned to implement key backup automation in SQLClue. The TDE database is easy to implement (in fact I saw an email from Connect telling me some bothersome 'nuances' of TDE are fixed in 10.5)

Finally, since many shops run two+ data centers, they could peer to peer replicate between data centers on an SSL or Server self-Certificate encrypted wire. But even without the replication, the backups of the TDE database and the encrypted column could go off site in the normal tape rotation to satisfy the requirement.

A little work to set up - not bad - but should be painless once running.

Bill Wunder

Post #706477

hnhaney2

Posted Wednesday, April 29, 2009 6:20 AM

Grasshopper

Group: General Forum Members
Last Login: Today @ 12:10 PM
Points: 18, Visits: 276

For me to memorize password, keys or anything important is next to impossible, for I am dyslexic, which also grants me the ability to process and handle algorithm fast than normal. So for me it’s about an algorithm that forms the key (or password). In my home network all passwords are something like

{Computer Name}’s {common word} #{(Month + 5) mod 12}

and are changed monthly automatically. This allow long and hard to break passwords and keys can be generated in the same fashion, But then keeping the algorithm a secret is the problem. So this is more of a method for compressing keys and passwords.

Post #706714

jay-h

Posted Wednesday, April 29, 2009 7:07 AM

Say Hey Kid

Group: General Forum Members
Last Login: Yesterday @ 8:55 AM
Points: 685, Visits: 1,707

alas, real security is a pain in the rump.

One possible solution is to store the keylist history in an encrypted file, with that key only available to the few (never ONE) adminstrative individuals necessary.

The encrypted key list should be kept both on and offsite

I would not recommend a shared (partial) key system, in a disaster situation all the principals may not be available.

...

-- FORTRAN manual for Xerox Computers --

Post #706770

John Bradford-346000

Posted Wednesday, April 29, 2009 8:47 AM

Grasshopper

Group: General Forum Members
Last Login: Saturday, December 22, 2012 7:54 AM
Points: 24, Visits: 78

My company has created an in-house application that we use to manage passwords, keys and access to them.
all data is stored in SQL tables and is encrypted by the application.
The application records all actions taken including creation, deletion, editing, access, granting access, etc to an encrypted table in the database so it cannot be changed outside the application.
This is working very well for us.

Post #706904

GSquared

Posted Wednesday, April 29, 2009 9:19 AM

SSCoach

Group: General Forum Members
Last Login: Today @ 1:55 PM
Points: 15,442, Visits: 9,571

There is no perfect solution. Either the data is completely secure, and can easily become unretrievable, or it's just barely secure, and easy to recover, or somewhere in between.

Since the compromise depends on a lot of subjective factors, I can't even offer good advice on that.

Personally, for my own secure data, I have a pattern of passwords/keys that I use. They are strong passwords, but I only rarely change them. Studies by the NSA and various universities and such have actually shown that routinely changing passwords causes a net reduction in security over time, because of the very factors you're dealing with here. The "change your password every X days" rules create the illusion of security while reducing its actuality.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

Post #706932

JJ B

Posted Wednesday, April 29, 2009 9:47 AM

SSC Veteran

Group: General Forum Members
Last Login: Today @ 3:08 PM
Points: 255, Visits: 2,407

GSquared: Thanks so much for your comment. One of the things I can't stand is the password rotation requirements at my agency and agencies we have to deal with. I copied your comment to my boss. She agreed to try to find those studies and at least research the issue. Thanks!

Post #706977

Steve Jones - SSC Editor

Posted Wednesday, April 29, 2009 9:51 AM

SSC-Dedicated

Group: Administrators
Last Login: Today @ 6:14 PM
Points: 31,421, Visits: 13,734

We've used Password Safe to store the passwords, and the current password isn't a big deal. It's the rotation of passwords that gets confusing. I suppose you could just add a date to the name and keep all passwords there, but depending on how often you change passwords, that can be an issue.

We had an issue changing the password for Password Safe. We rarely did so since we didn't want to get caught later having an old database for which we didn't have the password.

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #706985

bitbucket-25253

Posted Wednesday, April 29, 2009 10:53 AM

SSCertifiable

Group: General Forum Members
Last Login: Today @ 5:16 PM
Points: 5,101, Visits: 20,201

Speaking of security here is some news posted on the BBC web site that might help in storing passwords and encryption keys and yet have the same readily available in case of need
http://news.bbc.co.uk/2/hi/technology/8024845.stm

If everything seems to be going well, you have obviously overlooked something.

Ron

Please help us, help you -before posting a question please read
Before posting a performance problem please read

Post #707058

sspohn

Posted Wednesday, April 29, 2009 10:56 AM

Forum Newbie

Group: General Forum Members
Last Login: Thursday, April 18, 2013 6:19 PM
Points: 2, Visits: 21

I think two part passwords work best. The first part of the password is specific to the task. The second part is common to all tasks and is rotated regularly. I only need to worry about remembering one new password each period.

Post #707060

« Prev Topic | Next Topic »

21 posts, Page 1 of 3

1 2 3 »»»

Permissions