Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Protecting the Encryption Keys

By Steve Jones,

There was an interesting debate on SQLServerCentral recently after John Magnabosco wrote an editorial about encryption. I had chimed in that I thought adding encryption keys to the things you need to protect was harder than just backing up your data. Someone else disagreed, and we debated the issue back and forth.

It seems to me that it's harder, but I'm really not sure. I think you need a separate backup process, and a more complex recovery process, but perhaps that's not true. Maybe I'm just over-thinking it.  Since it's Friday, I decided this would make a good poll.

Is protecting your encryption keys harder than just making a backup?

I've always thought that a best practice was to keep the keys separate from the data, or in this case, the backup. Which means that I need to have a different media, and preferably a different location. That means it's a whole separate process.

The other thing that seems more complex is that you're want to rotate keys periodically. Otherwise if someone got the key, they could theoretically brute-force the key. I know it's supposed to take years, but it seems that hardware advances are always making this take less time than originally estimated. And what if someone managed to secure the first letter or two? I bet it's crackable in reasonable times.  However if you rotate keys, then the time frames shrink, perhaps too small to be worth the effort.

If you rotate keys, then you need to ensure that somehow you can match up the key with the backup. If I think across time, this seems complicated, but the reality is for DR situations it would be one of two keys (the current and the past). For other situations, like legal issues where you might go back over a year, perhaps it's more complicated.

I'm curious what other people do, or what they think. Is this harder?

Steve Jones


The Voice of the DBA Podcasts

Everyday Jones

The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there.

You can also follow Steve Jones on Twitter:

Overall RSS Feed: or now on iTunes!

Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.

I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.

Total article views: 207 | Views in the last 30 days: 2
 
Related Articles
BLOG

Podcasting

A new video setup is on the way!!!! Actually I'll do a couple podcasts on podcasting over the hol...

ARTICLE

Podcast Announcements

Podcast Feeds

ARTICLE

Encrypt Everything

Yahoo recently announced they are encrypting their traffic between data centers. Steve Jones thinks ...

BLOG

New Hebrew SQL Server Podcast

Five months ago, I wrote a post about my love for Podcasts. At some point, I started to think about...

ARTICLE

Encrypting Data

Encrypting data is the easy part of dealing with encryption and databases. Steve Jones talks about s...

Tags
editorial    
encryption    
friday poll    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones