Question on Encrypted Database keys/passwords

  • Brandie Tarvin

    SSC Guru

    Points: 172524

    Quick question more for informational CYA than anything else (I.E., I don't want to do this, I just want to make sure it can't be done).

    Is it possible to read (in clear text) or decrypt the password for an encrypted database key from the Windows Server registry?

    I know people try to do this all the time (find passwords for things that they shouldn't have access to) and a quick Google search doesn't come up with any links. So I'm posting here in hopes someone can give me the warm fuzzy "No" that I'm looking for. Or to warn me that "yes, it can be" so I can go back to my peeps and look for a solution to lock down this particular hole if it exists.

    Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

  • e4d4

    SSCertifiable

    Points: 5751

    Hi, short answer no. On Windows level there is only Service Master Key which is protected by Windows DPAPI, this key is used by default to protect master key in master db and probably only hash of master key password is stored in db so you can only brute force it.

    https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-2017

  • Sergiy

    SSC Guru

    Points: 109668

    Is it what you're looking for?

     

    https://simonmcauliffe.com/technology/tde/

     

  • Grant Fritchey

    SSC Guru

    Points: 395417

    Just talking to an AD expert yesterday after I presented a session on SQLi. Evidently there is a "golden ticket" in AD that unlocks the kingdom. Without that, the answer is a very hard NO. I don't have the details on the issue. Track down David Posthlewait.

    ----------------------------------------------------
    The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood...
    Theodore Roosevelt

    The Scary DBA
    Author of: SQL Server 2017 Query Performance Tuning, 5th Edition and SQL Server Execution Plans, 3rd Edition
    Product Evangelist for Red Gate Software

  • Brandie Tarvin

    SSC Guru

    Points: 172524

    Wow...

    Thanks, everyone. I appreciate the references. This makes this even harder because I just found out corporate DBAs will have the password to the account that will own the keys and I need to figure out how to prevent them from using that account to log into our servers / databases and grabbing PII.

    Grrr. Not looking forward to this conversation.

    Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply