Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Secure Storage


Secure Storage

Author
Message
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36074 Visits: 18736
Comments posted to this topic are about the item Secure Storage

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Bill Wunder
Bill Wunder
Grasshopper
Grasshopper (19 reputation)Grasshopper (19 reputation)Grasshopper (19 reputation)Grasshopper (19 reputation)Grasshopper (19 reputation)Grasshopper (19 reputation)Grasshopper (19 reputation)Grasshopper (19 reputation)

Group: General Forum Members
Points: 19 Visits: 146
I believe the guidance is to store the key export and the password in different locations and to store both on site and off site.

How about storing the export in VARBINARY(MAX) in TDE encrypted database that has only DBA access? and then store the password in an an encrypted column, perhaps on a another SQL Instance. This would be relatively easy to automate.

This is how I had planned to implement key backup automation in SQLClue. The TDE database is easy to implement (in fact I saw an email from Connect telling me some bothersome 'nuances' of TDE are fixed in 10.5)

Finally, since many shops run two+ data centers, they could peer to peer replicate between data centers on an SSL or Server self-Certificate encrypted wire. But even without the replication, the backups of the TDE database and the encrypted column could go off site in the normal tape rotation to satisfy the requirement.

A little work to set up - not bad - but should be painless once running.

Bill Wunder
hnhaney2
hnhaney2
Grasshopper
Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)

Group: General Forum Members
Points: 18 Visits: 280
For me to memorize password, keys or anything important is next to impossible, for I am dyslexic, which also grants me the ability to process and handle algorithm fast than normal. So for me it’s about an algorithm that forms the key (or password). In my home network all passwords are something like
{Computer Name}’s {common word} #{(Month + 5) mod 12}
and are changed monthly automatically. This allow long and hard to break passwords and keys can be generated in the same fashion, But then keeping the algorithm a secret is the problem. So this is more of a method for compressing keys and passwords.
jay-h
jay-h
SSC Eights!
SSC Eights! (919 reputation)SSC Eights! (919 reputation)SSC Eights! (919 reputation)SSC Eights! (919 reputation)SSC Eights! (919 reputation)SSC Eights! (919 reputation)SSC Eights! (919 reputation)SSC Eights! (919 reputation)

Group: General Forum Members
Points: 919 Visits: 2222
alas, real security is a pain in the rump.

One possible solution is to store the keylist history in an encrypted file, with that key only available to the few (never ONE) adminstrative individuals necessary.

The encrypted key list should be kept both on and offsite

I would not recommend a shared (partial) key system, in a disaster situation all the principals may not be available.

...

-- FORTRAN manual for Xerox Computers --
John Bradford-346000
John Bradford-346000
Grasshopper
Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)

Group: General Forum Members
Points: 24 Visits: 81
My company has created an in-house application that we use to manage passwords, keys and access to them.
all data is stored in SQL tables and is encrypted by the application.
The application records all actions taken including creation, deletion, editing, access, granting access, etc to an encrypted table in the database so it cannot be changed outside the application.
This is working very well for us.
GSquared
GSquared
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14375 Visits: 9729
There is no perfect solution. Either the data is completely secure, and can easily become unretrievable, or it's just barely secure, and easy to recover, or somewhere in between.

Since the compromise depends on a lot of subjective factors, I can't even offer good advice on that.

Personally, for my own secure data, I have a pattern of passwords/keys that I use. They are strong passwords, but I only rarely change them. Studies by the NSA and various universities and such have actually shown that routinely changing passwords causes a net reduction in security over time, because of the very factors you're dealing with here. The "change your password every X days" rules create the illusion of security while reducing its actuality.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
JJ B
JJ B
Old Hand
Old Hand (327 reputation)Old Hand (327 reputation)Old Hand (327 reputation)Old Hand (327 reputation)Old Hand (327 reputation)Old Hand (327 reputation)Old Hand (327 reputation)Old Hand (327 reputation)

Group: General Forum Members
Points: 327 Visits: 2846
GSquared: Thanks so much for your comment. One of the things I can't stand is the password rotation requirements at my agency and agencies we have to deal with. I copied your comment to my boss. She agreed to try to find those studies and at least research the issue. Thanks!
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36074 Visits: 18736
We've used Password Safe to store the passwords, and the current password isn't a big deal. It's the rotation of passwords that gets confusing. I suppose you could just add a date to the name and keep all passwords there, but depending on how often you change passwords, that can be an issue.

We had an issue changing the password for Password Safe. We rarely did so since we didn't want to get caught later having an old database for which we didn't have the password.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
bitbucket-25253
bitbucket-25253
SSCertifiable
SSCertifiable (5.7K reputation)SSCertifiable (5.7K reputation)SSCertifiable (5.7K reputation)SSCertifiable (5.7K reputation)SSCertifiable (5.7K reputation)SSCertifiable (5.7K reputation)SSCertifiable (5.7K reputation)SSCertifiable (5.7K reputation)

Group: General Forum Members
Points: 5689 Visits: 25280
Speaking of security here is some news posted on the BBC web site that might help in storing passwords and encryption keys and yet have the same readily available in case of need
http://news.bbc.co.uk/2/hi/technology/8024845.stm

If everything seems to be going well, you have obviously overlooked something.

Ron

Please help us, help you -before posting a question please read

Before posting a performance problem please read
sspohn
sspohn
Forum Newbie
Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)

Group: General Forum Members
Points: 2 Visits: 25
I think two part passwords work best. The first part of the password is specific to the task. The second part is common to all tasks and is rotated regularly. I only need to worry about remembering one new password each period.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search