【发布时间】:2019-08-06 17:37:05
【问题描述】:
我正在阅读有关数据库(SQL Server)中的加密的内容,并遇到了一篇 MS 文章(https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/encrypt-a-column-of-data?view=sql-server-2017)
在文章中,他们创建了一个主密钥,然后使用 AES_256 算法创建一个证书,然后通过上述证书对数据进行加密/解密。
但只要密钥和证书都在同一个数据库服务器中,任何可以访问服务器的人都可以随时解密数据。那么安全在哪里呢?我可能没有正确理解它,因此在此处发布此内容以获得在数据库端使用加密并保护密钥的正确想法。
我按照以下查询。
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<some strong password>';
Go
CREATE CERTIFICATE Sales09
WITH SUBJECT = 'Customer Credit Card Numbers';
GO
CREATE SYMMETRIC KEY CreditCards_Key11
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE Sales09;
GO
-- Create a column in which to store the encrypted data.
ALTER TABLE Sales.CreditCard
ADD CardNumber_Encrypted varbinary(128);
GO
-- Open the symmetric key with which to encrypt the data.
OPEN SYMMETRIC KEY CreditCards_Key11
DECRYPTION BY CERTIFICATE Sales09;
-- Encrypt the value in column CardNumber using the
-- symmetric key CreditCards_Key11.
-- Save the result in column CardNumber_Encrypted.
UPDATE Sales.CreditCard
SET CardNumber_Encrypted = EncryptByKey(Key_GUID('CreditCards_Key11')
, CardNumber, 1, HashBytes('SHA1', CONVERT( varbinary
, CreditCardID)));
GO
-- Verify the encryption.
-- First, open the symmetric key with which to decrypt the data.
OPEN SYMMETRIC KEY CreditCards_Key11
DECRYPTION BY CERTIFICATE Sales09;
GO
-- Now list the original card number, the encrypted card number,
-- and the decrypted ciphertext. If the decryption worked,
-- the original number will match the decrypted number.
SELECT CardNumber, CardNumber_Encrypted
AS 'Encrypted card number', CONVERT(nvarchar,
DecryptByKey(CardNumber_Encrypted, 1 ,
HashBytes('SHA1', CONVERT(varbinary, CreditCardID))))
AS 'Decrypted card number' FROM Sales.CreditCard;
GO
【问题讨论】:
-
已经提出关闭请求的人,请提供一些信息。
标签: .net sql-server encryption aes database-security