SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

SQL Server Encryption, What’s The Key Hierarchy All About?

keys

 

I’m sure that we all know that SQL Server includes all sorts of interesting functionality to allow us to encrypt our data and like with all encryption techniques, that data is encrypted using keys.

In SQL Server we’ve got a number of different keys, we’ve got the Service Master Key, Database Master Keys, Symmetric Keys, Asymmetric Keys and Certificates.  These keys can be used to encrypt data but they can also be used to encrypt other keys and this is where the key hierarchy comes in.

If you google SQL Server key hierarchy you might come across a number of diagrams similar to that below

keyhei1

that’s all well and good but what does it really mean?

Well, to try an explain this I want to have a little look at what SQL does when it needs to decrypt our data.

For this example we’re going to imagine that we’ve got some data that we’ve encrypted using a password.  Think of the encryption routine as a safe, if we want to get our data out then we need to provide SQL Server with the password to open that safe.

keyhei2

SQL Server can now happily pop the password that we’ve given it into the safe and get our data for us.  That’s fine but what happens if we encrypt our data using a key?

keyhei3

Our SQL Server now has a problem, it can’t just decrypt (open the safe) using our password.  For this safe it’s going to need a key but were is that key?  SQL knows that keys are important and it can’t just leave them laying around anywhere, who knows who might find them.  So what does it do?

SQL protects those keys by encrypting them.  So that means in order for our SQL Server to open the safe and get our data, it first has to pop over to another safe to get the key.

keyhei4.png

So essentially, SQL needs to decrypt the key that’s encrypted the data before it can then decrypt our data.  And that’s where the idea of the key hierarchy comes in.  Let’s have a look at that diagram again and see if it makes any more sense now…

 

keyhei5

The above diagram shows an example similar to our first example, the data has simply been encrypted by a password.

The following example is slightly more complex,

keyhei6

In this example, our data is encrypted by a symmetric key (key 1).  This symmetric key is encrypted by another symmetric key (key 2) which is in turn encrypted by a password.  So if SQL wants to decrypt the data it’ll first need to decrypt Key 2 using a password, then use Key 2 to decrypt Key 1 and only then, when it has Key 1 decrypted can it use Key 1 to decrypt our data.

And this is what’s represented by the key hierarchy, it shows us how a key can be encrypted by a key higher in the hierarchy, that key can in turn be encrypted by another key and so on.

At the end of the day, every key in SQL Server needs to be encrypted by something higher in the hierarchy.  Up at the top of the key hierarchy we have only three things that don’t have to themselves be encrypted, passwords, the Service Master Key or a key stored in an Extensible Key Management (EKM) system.

I’ll talk about the different types of keys in another post but hopefully this has helped shed some light on the sometimes confusing subject of the SQL Server key hierarchy.

SQL Undercover

David Fowler and Adrian Buckman, two database nerds who love nothing more than to spend their time, reading about, researching and sharing all things SQL Server. David is a DBA with over 15 years production experience of SQL Server, from version 6.5 through to 2016. He has worked in a number of different settings and is currently the technical lead at one of the largest software companies in the UK. After working in the motor trade for over 11 years Adrian decided to give it all up to persue a dream of working in I.T. Adrian has over 3 years of experience working with SQL server and loves all things SQL, Adrian currently works as a Database Administrator for one of the UK’s Largest Software Companies.

Comments

Leave a comment on the original post [sqlundercover.com, opens in a new window]

Loading comments...