May 7, 2009 at 9:52 am
Alzdba, Thanks for your response.
Here is the output:
select MKP.*
, D.name as DbName
from sys.master_key_passwords MKP
inner join sys.credentials C
on MKP.credential_id = C.credential_id
inner join sys.database_recovery_status DRS
on MKP.family_guid = DRS.family_guid
inner join sys.databases D
on DRS.database_id = D.Database_id
;
No rows returned.
Select @@version
Microsoft SQL Server 2005 - 9.00.4035.00 (X64) Nov 24 2008 16:17:31 Copyright (c) 1988-2005 Microsoft Corporation Developer Edition (64-bit) on Windows NT 5.2 (Build 3790: Service Pack 2)
When I restore the db, the decryption works fine. But when I drop the Master key and recreate the key it doesnt work, returns NULL. Incase a data corruption occurs or the certificates/symmetric keys/master key gets dropped by mistake, we want to provide our client with an approach for the decryption. I'm trying to reproduce the scenario on our SQl 2005 database, after dropping symmetric keys, certificates, master key on the restored db, I restored the master key from the Prod db then created certificates and symmetric keys. I opened the symmetric key and the master key in the session and the decrypt output returns NULL for the existing values. The application team wants to know if it is possible to decrypt the existing data when the keys are dropped & restored.
Please give me your suggestions. Sorry if I'm confusing this.
May 7, 2009 at 3:16 pm
As shown in my previous reply a password encrypted master key can only be modified using the path of:
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'TestEncryption31' ; -- old db master key
ALTER MASTER KEY
REGENERATE WITH ENCRYPTION BY PASSWORD = 'TestEncryption31TEST'; -- renew db master key
go
If someone drops this master key, it has to be intentionally because the system will state it is in use, so the using certificates will have to be removed !
As shown above, it is fairly easy to modify the master key, so you cannot rely on an known password.
So using BACKUP MASTER KEY will be a life saver
(from BOL)
BACKUP MASTER KEY TO FILE = 'path_to_file'
ENCRYPTION BY PASSWORD = 'password'
This should also be done for all certificates of the db using
(from BOL)
BACKUP CERTIFICATE certname TO FILE = 'path_to_file'
[ WITH PRIVATE KEY
(
FILE = 'path_to_private_key_file' ,
ENCRYPTION BY PASSWORD = 'encryption_password'
[ , DECRYPTION BY PASSWORD = 'decryption_password' ]
)
]
Off course, you can always rely on the regular backup scenarios !
Advise full recovery model with a sequence of full and log backups, so you can perform a PIT (point in time) recovery !
You can make if fool proof, but they will come up with an even better fool !
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
May 8, 2009 at 9:15 am
Thanks for all your help. I appreciate it.
May 13, 2009 at 8:07 pm
HI all,
I just have this one question in the backup command if the password should be the same as used in the master key creation or can it be different?
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'password'
BACKUP MASTER KEY TO FILE = ''
ENCRYPTION BY PASSWORD = ' '
I'm thinking the master key creation password will be different from the backup command? I know we need to use the same password used in the backup command for the restore of the master key. I'm just confused with the password in the create and backup command.
Thanks for your help.
May 13, 2009 at 8:51 pm
The backup/restore pwd shouldn't need to be the same as the creation password. The creation password is needed to open the key.
May 14, 2009 at 12:07 am
As Steve said : the password doen't need to be the same;
The backup password is used to encrypt the backup itself. Nothing else.
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
May 14, 2009 at 6:28 am
Thank you
May 14, 2009 at 10:24 am
I've the same issue still going on.. At this stage, we just want to provide our clients with what they will need to do when the master key gets corrupted.. So for testing this, I'm restored our database(UMP) to test. I took a backup of the master key from the UMP database.
use UMP
BACKUP MASTER KEY TO FILE = 'd:\ump\umpkey'
ENCRYPTION BY PASSWORD = '123'
Now, on the test database the decryption works perfect. I tried below to corrupt the master key:
OPEN MASTER KEY DECRYPTION BY PASSWORD = '239kc5i4gt6j81mn3k';
ALTER MASTER KEY
REGENERATE WITH ENCRYPTION BY PASSWORD = 'tst';
Now tried to decrypt the existing records, since the master key is altered- I expect the decryption not to work. But it decrypts successfully. Is there any other way to test our situation? We just want to test if the backup and restore of the master key will work incase of lost master key or corrupt master key so we can provide the steps to the client.
Thanks again for your help.
May 14, 2009 at 12:27 pm
psangeetha (5/14/2009)
I've the same issue still going on.. At this stage, we just want to provide our clients with what they will need to do when the master key gets corrupted.. So for testing this, I'm restored our database(UMP) to test. I took a backup of the master key from the UMP database.use UMP
BACKUP MASTER KEY TO FILE = 'd:\ump\umpkey'
ENCRYPTION BY PASSWORD = '123'
Now, on the test database the decryption works perfect. I tried below to corrupt the master key:
OPEN MASTER KEY DECRYPTION BY PASSWORD = '239kc5i4gt6j81mn3k';
ALTER MASTER KEY
REGENERATE WITH ENCRYPTION BY PASSWORD = 'tst';
Now tried to decrypt the existing records, since the master key is altered- I expect the decryption not to work. But it decrypts successfully. Is there any other way to test our situation? We just want to test if the backup and restore of the master key will work incase of lost master key or corrupt master key so we can provide the steps to the client.
Thanks again for your help.
The key you provided with "Open master key" was the correct key !
When it regenerates the encryption with the new password you provide, it actually rewrites all stuff that is encrypted !
That's why it is still working.
What you could try on your TEST system is to restore another master key. Doing that should actually corrupt the existing encrypted data !
I did NOT try this myself !!!
Play it safe....Start with a full backup !!!
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
July 19, 2013 at 7:07 am
Try this:
USE master
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'pass'
GO
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY
GO
And later rest of the restoration procedure.
Viewing 10 posts - 16 through 24 (of 24 total)
You must be logged in to reply to this topic. Login to reply