I'm having some issues restoring a backup of database that uses native encryption onto another server. I know there are a couple of articles on this but I seem to be missing something. Any help would be greatly appreciated.
Current Server Windows 2000
Destination Server Windows 2003
The original key setup for the current server was achieved by something like this:
CREATE SYMMETRIC KEY HR01 WITH algorithm=DES encryption BY password = 'HRpassword'
Running the command select * from sys.symmetric_keys on the current server I get the following:
name
principal_id
symmetric_key_id
key_length
key_algorithm
algorithm_desc
create_date
modify_date
key_guid
HR01
1
256
56
D
DES
2006-11-22 16:36:01.883
2006-11-22 16:36:01.883
BBD80500-338F-47D7-B336-85D46E00F2F0
So I restored the database onto the new server and ran this script:
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'Password';
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY;
GO
I don't have a master key... so I go back to the original server and ran this script and did another backup:
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Password'
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'Password';
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY;
Running select * from sys.symmetric_keys on the current server now looks like this:
name
principal_id
symmetric_key_id
key_length
key_algorithm
algorithm_desc
create_date
modify_date
key_guid
why my script is not allowing me to DECRYPTBYKEY once I restore my DB from PRODUCTION BACKUP....
-- SET Staging to Single User Mode to be able to RESTORE DB---
-- STEP 1 (Works No Problems Here)
USE master; GO ALTER DATABASE Staging SET SINGLE_USER WITH ROLLBACK IMMEDIATE; GO RESTORE DATABASE Staging FROM DISK = 'C:Program FilesMicrosoft SQL ServerMSSQL11.MSSQLSERVERMSSQLBackupMyDBRestore.bak' ; GO
-- STEP 2 - USE ONLY IF THE ABOVE IS UNSUCCESSFUL ||| FAILURE ****** RESTORE RUN THE FOLLOWING SCRIPT -----
--If the above is successful the DB sets itself back to MULTI_USER
--------------- @@@@@@@@@@@@@@ IMPORTANT UNCOMMIT AND RUN @@@@@@@@@@@@@@@@@@@@@@@@@ MANUAL STEPS ---------------------- -- RBD - Recreate Security ID'S AND PERMISSIONS FOR Stored Procedure EXECUTE RIGHTS, because PASSWORDS are different on lower -- environments --USE [Staging] --GO --/****** Object: User [WebUser] Script Date: 4/13/2015 11:15:51 AM ******/ --DROP USER [WebUser]
I'm trying to develop a procedure for re-encrypting data with a different symmetric key, but I need the new key to use the old key name. I want to do this without leaving the data in clear text at any point. I would think the process would work like this:
1.Create a new key 2.Decrypt data w/old key and encrypt with new key. 3.Drop old key. 4.Rename new key using the old key name.
However, I can't find that there's a way to rename a symmetric key. Is this correct? If that is the case, I believe I have to do an additional round of encryption:
1.Create a temp key 2.Decrypt data w/old key and encrypt with temp key. 3.Drop old key. 4.Create a new key with the old key name. 5.Decrypt data w/temp key and encrypt with new key. 6.Drop temp key
i've getting ready to implement encryption on a rather large database. I'd read that if performance is of utmost concert, you should use symmetric keys. I want to encrypt those keys by asymmetric keys. My code is working, but i'm just not sure if there is a quicker way? do you have to open and close the key each time you select/update/insert in a stored procedure that references an encrypted column, or is there a way to just modify the code by adding the encryptbykey/decryptbykey functions?
has anyone implemented encryption on columns in large tables? any suggestions for me?
Thanks, Pete
here's my code to create the keys:
create asymmetric key ASK_Auto_Encrypt with algorithm = RSA_512;
create symmetric key SK_AE with algorithm = TRIPLE_DES encryption by asymmetric key ASK_Auto_Encrypt;
here's my code to test this:
create table encryption_test (test varchar(50));
open symmetric key SK_AE decryption by asymmetric key ASK_Auto_Encrypt;
insert into encryption_test select encryptbykey(key_guid('SK_AE'),'test');
select convert(varchar(max),decryptbykey(test)) from encryption_test;
I've played with various configurations of the MS SQL Server encryption functionality, and come across an embarrassingly easy question that I cannot seem to resolve. How do I retrieve the actual symmetric and asymmetric keys out of the database?
I'd like to explore the possibility of off-loading the encryption/decryption work from the database server to a load-balanced pool of servers. For this model to work the pool would need access to the keys. The symmetric keys currently are generated with the command...
We have been playing around with encryption in 2005. I cannot find a BOL topic that discusses dropping encryption objects such as keys.
We do the followign steps:
Create master key with password, then we create a certificate using the master key, we then create a symmetric key using this certificate and encrypt data columns.
But what i find worrying is that you can then drop the symmetric key , there are no warnings that you have objects dependant on this key for decryption.
Once you have dropped the key you cannot decrypt the data anymore?
Also the key defults the expiration date to 1 year.
WHat happens after 1 year when you have encrypted data and an expired key, or someone drops the key ? How can you ever decrypt the data after that ?
You can backup master keys nd certificates but not symmetric keys?
It seems to be that youc an very easily orphan encrypted data by the loss of the symmetric key for whatever reason, is this correct ?
I have a question about the storage of symmetric keys in SQL Server 2005 due to the fact that I have read two conflicting statements on this.
In Laurentiu's blog located at http://blogs.msdn.com/lcris/archive/2005/10/14/481434.aspx, in regards to preventing symmetric key loss he makes the statement that "...Because the keys are stored in the database, they will be saved with the database....".
But in the white paper Improving Data Security by Using SQL Server 2005, which is located at http://www.microsoft.com/technet/itshowcase/content/sqldatsec.mspx, in regards to symmetric keys the statement is made "...Note: The symmetric key is not stored in the database. Only the encrypted values of the symmetric key are stored in the database. Therefore, users who can access the database cannot decrypt the data without first decrypting the symmetric key....".
So I am just wondering which statement is correct, are symmetric keys stored in the database or not?
Hello. I have a problem that spans VB.net, SQL Server and SSIS but is rooted in the need to encrypt column data in SQL Server.
I would like to encrypt data that I am bringing into SQL Server in the Data transformation script component of an SSIS package. I have achieved this but I can't decrypt the data because the keys don't match. I would like to use symmetric key encryption but I don't see how to get the symmetric key that I created in SQL Server available to the VB.net script component in SSIS.
Please advise me if my approach is correct and what steps I need to take.
I can't seem to use symmetric keys in stored procedures. I am trying to decrypt a column in my stored precedure but the values are all NULL. First I tried a symmetric key that required a password but I kept getting simple syntax errors when I tried to send the password to the stored precedure as a parameter. Now I am trying a symmetric key that uses a certificate.
I also tried using WITH EXECUTE AS SELF and WITH EXECUTE AS CALLER but that made no difference.
We had a server give out on us completely. All that is left is a back up of the SSRS database. We have been able to get a new SSRS environment working but the symmetric key doesn't seem to work. Reports will run if we delete all sensitive data through the Config manager and reenter the connection strings into the datasource but if we can get the symmetric key saved in the ReportingServices database to work correctly it will save us a ton of effort. Can we make use of the symmetric key saved in the ReportServer.dbo.Keys table?
I am trying to implement the column encryption on one of the tables, have used the below link as the reference and got stuck at the last step.
[URL] ....
I have completed the following steps so far.
- CREATE MASTER KEY ENCRYPTION BY PASSWORD = ‘myStrongPassword’
- CREATE CERTIFICATE MyCertificateName WITH SUBJECT = 'A label for this certificate'
- CREATE SYMMETRIC KEY MySymmetricKeyName WITH IDENTITY_VALUE = 'a fairly secure name', ALGORITHM = AES_256,
[Code] .....
Example by using the function
EXEC OpenKeys
-- Encrypting SELECT Encrypt(myColumn) FROM myTable
-- Decrypting SELECT Decrypt(myColumn) FROM myTable
When I ran the last command :
-- Decrypting SELECT Decrypt(myColumn) FROM myTable
I get the following error :
Msg 257, Level 16, State 3, Line 2 Implicit conversion from data type nvarchar to varbinary is not allowed. Use the CONVERT function to run this query.
Where will I use the convert function, in decrypt function or in select statement?
Our report server are constantly getting the below error.
What causes this - I know how to fix it, in fact, I've automated it but why does it constantly happen on some servers? I guess I'd like to know what causes it to try and fix it at those points instead of having to fix it here. Proactively.
Reporting Services Error
The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content. Check the documentation for more information. (rsReportServerDisabled) (rsRPCError) Get Online Help
The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content. Check the documentation for more information. (rsReportServerDisabled)
The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content. Check the documentation for more information. (rsReportServerDisabled)
Say i have some symmetric keys encrypted by other symmetric keys , is there some way to find the relationship of these key?
I know i can find the certificate or asymmetric key through sys.key_encryptions catalog view by "thumbprint" column, but the thumbprint column is null when the key was encrypted by a symmetric key.
There is all kinds of great info out there about the mechanics behind column level encryption in SQL2005, but it all seems to assume I only have 1 or 2 database servers. If I am using an X509 certificate to encrypt my data, it looks as if I can script the administration of this fairly easily.
But what if I have 1000 SQL Servers?
Is there any guidance/best practices/tools out there that will help me manage the 1000 certificates that I would need to deploy in such a scenario. Also, what if I need to 'rotate' the certificates for some reason. Can a PKI for the domain help me to automate and manage this?
It seems as if the management of these certificates is purely 'manual' at this point.
Has any1 noticed that when they are transferring SQL tables from one server (or machine) to another that the primary keys drop from the table (or is it just me). If so, has someone figured out why? and how to rectify this (apparent) error.
Just got a new workstation and installed Enterprise Manager. Is there an easy way to migrate the registered servers from the old workstation to the new one.
I have about 30 servers defined under 6 groups. It would certainly be a lot easier if there was a file I could drag from one workstation to another.
Hi all, I have a database that is duplicated on 4 different SQL Server 2000 servers. I created a database diagram in one of those identical databases using EM, and thought I would like to copy it across to the other 3 databases. I can't find any way to do that though.
Any ideas? I can right-click and copy the diagram in the source server/database, but can't "paste" into the second server/database's Diagrams directory.
I know the diagram is created from the objects in the dabase, but mine required some customization and it would be really cool if someone has a silver bullet I could borrow to make the diagrams in the other DB's match up to the formatted one.
I was wondering if there is a way to move ODBC connections between SQL servers? We are replacing our current server with newer hardware, and I have pretty much everything figured out except this.
I have user that we just migrated his Access database to SQLServer. All went well with the migration, but then he came up withanother requirement to be able to replicate the database to a localSQL server living on the hard drive of a laptop. Before the migrationhe just copied the entire Access databse to the lap top.I tried using the Copy SQL Server Objects Task to move thenecessary tables from the production server to the laptop, but noticedit doesn't copy over the table Indexes/keys identiy fields etc. Iended up backing up the production database and restoring it to thelaptop database, but wondered if there is any way to move the tables,with their properties from one server to another? I know I can setup the backup process to run as scheduled, but the problem is the dataneeds to be moved on an irregular time table. I thought about justwriting code on the remaining Access front end to empty the localtables and then query the data from the production side to reloadthem, but I'm sure there's an easier way.Any suggestions would be appreciated.Thanks,Tom
I have a set of packages that use an Indirect Configuration to a XML config that gives each package a connection string to the Configuration database. The configuration database has all the connection strings for every connection I use.
I just moved my dbs to a new server. I updated the XML config file to point to the new server and updated the connections in the configuration table. I am having two problems. When I open packages in BIDS, I am receiving errors because the connection strings embedded in the packages were pointing to the old server. I updated the Data Sources in the solution and that didn't fix it. Why is it not using the configurations?
Also, on the production box (64bit), I am having the same problem. It is not reading in the connections from the new SQL configuration table. All my connections that are producing errors are OLEDB for SQL.
We have succesfully moved SQL server to a new machine and this same machine will also be running IIS 5.1 to host our intranet. We will be doing the actual developing on other machines and publishing the site to the new machine. Now, when I went to test the site, it all comes up just fine, but logging in is a problem. What do I need to do to configure the new SQL server to accept new members, logins, etc. Oh, and actually membership is still on the "old" SQL. When I tried to login, I get this:
Server Error in '/' Application.
Login failed for user ''. The user is not associated with a trusted SQL Server connection. Thanks for the information.
Is there any easy way to move users between SQL Servers for a particular database? We have tests and development servers I would like to make sure the user lists are in sync for that db.
Greetings all,This should be an easy task, and Im sure it is, but as many times as I havetried, I cant seem to get this to work properly.We changed ISPs recently from a shared host to a co-located server, and ourformer host was nice enough to send us a backup of our old SQL2000 database(about 5MB).I went into Enterprise Manager, created an empty database with the same nameand used the Restore Backup tool successfully. I took a look at the db andsaw all the Tables and data intact.Next I wanted to re-create the DSN to match the old one so that I wouldnthave to fiddle with any of the old connection strings in my asp pages.Thats where the fun began. The old DSN was created by our host via an emailrequest and I never got a look at the actual creation process of that DSN.I created one on our colo server with the same name, but it would only passthe connection tests when I used the Windows User Authentication rather thanSQL Server Authentication. No big deal I figured, and just went ahead andset it up using the same DSN name.Next I tried the main.asp page to test the DSN and lo and behold I got theODBC connection errors. I tinkered with the connection strings a bit andmanaged to get a wide variety of connection errors and fine-tuned to thepoint that it said "Unable to login with user 'SERVER169/nacog'". At thispoint, I went into Enterprise manager and added 'nacog' to the User list andthe connection string no longer produced errors. (By the way, my connectionstring simply contains "DSN=YAVAPAICONNECT;")My next step was to actually execute a SELECT statement which produced thefollowing error:Microsoft OLE DB Provider for ODBC Drivers error '80040e09'[Microsoft][ODBC SQL Server Driver][SQL Server]SELECT permission denied onobject 'ADMINS', database 'YAVAPAICONNECT', owner 'dbo'./nacog/admin/main.asp, line 189Why was I not surprised?I went back to Enterpise Manager, saw the all the tables had 'dbo' as theowner, and tried to give 'nacog' all the permissions at the table level, butthe error persists.To preserve my sanity I stopped there, because I spun my wheels for hoursand days the last time this happened. and my eye has not stopped twitchingsince ;)I am quite sure that this has something to do with one or all of thefollowing:1) The way SQL2K was installed (it was installed by someone else)2) My creation of the db with the windows login, rather than SQL auth, priorto import3) My creation and handling of the DSNMy background is mainly in ASP programming, and I understand bits and piecesof this puzzle, but for the life of me I cannot piece this thing together.Can anyone help point me in the right direction or suggest a good tutorial?I would be very thankful to anyone who could help put me on the right track.Best Regards,Ben M.
We are planning to move all of our System Center Databases that reside on front end servers to each system center application to a centrally located SQL 2012 server. We'd like to centralize everything and have our DBA care for the server. here is our setup:
SCOM has 1 monitoring and 1 Data warehouse server. SCCM has 1 server with all roles on it. DPM database is on the same server as Application. Same with SCVMM. I have 2 questions regarding this move:
1. Can I have all these databases running on 1 SQL instance?
2. Is there a best practice document that highlights steps and "gotchyas"
I'm going through my tables and rewriting them so that I can create relationship-based constraints and create foreign keys among my tables. I didn't have a problem with a few of the tables but I seem to have come across a slightly confusing hiccup.
Here's the query for my Classes table:
Code:
CREATE TABLE Classes ( class_id INT IDENTITY PRIMARY KEY NOT NULL,
This statement runs without problems and I Create the relationship with my Users table just fine, having renamed it to teacher_id. I have a 1:n relationship between users and tables AND an n:m relationship because a user can be a student or a teacher, the difference is one field, user_type, which denotes what type of user a person is. In any case, the relationship that's 1:n from users to classes is that of the teacher instructing the class. The problem exists when I run my query for the intermediary table between the class and the gradebook:
Code:
CREATE TABLE Classes_have_Grades ( class_id INT PRIMARY KEY NOT NULL,
Query Analyzer spits out: Quote: Originally Posted by Query Analyzer There are no primary or candidate keys in the referenced table 'Classes' that match the referencing column list in the foreign key 'Classes_have_gradesFKIndex2'. Now, I know in SQL Server 2000 you can only have one primary key. Does that mean I can have a multi-columned Primary key (which is in fact what I would like) or does that mean that just one field can be a primary key and that a table can have only the one primary key?
In addition, what is a "candidate" key? Will making the other fields "Candidate" keys solve my problem?
ALTER TABLE [Students] WITH CHECK ADD CONSTRAINT [FK_Students_Schools] FOREIGN KEY([SchoolId]) REFERENCES [Schools] ([SchoolId])
What kind of index would ensure best performance for INSERTs/UPDATEs, so that SQL Server can most efficiently check the FK constraints? Would it be simply:
CREATE INDEX IX_Students_SchlId ON Students (SchoolId) Or CREATE INDEX IX_Students_SchlId ON Students (SchoolId, StudentId)
In other words, what's best practice for adding an index which best supports a Foreign Key constraint?
Pls let me know How I generate script for All primary keys and foreign keys in a table. Thereafter that can be used to add primary keys and foreign keys in another databse with same structure.
Also how I script default and other constraints of a table?
Hello!I have a table A with fields id,startdate and other fields. id and startdateare in the primary key.In the table B I want to introduce a Foreign key to field id of table A.Is this possible? If yes, which kind of key I have to build in table A?Thx in advance,Fritz
Respectd sir thanks for your reply but my issue is different. In my database have lots of table, In each table have different datatype field. we want to just encrypt these data. As example i am declare one table
TableCD --------- CDID Integer Not Null VolID Integer NotNull CDRegDate DateTime CDData1 BigInt CDAmtInWord Varchar(100) not null
Data Is CDID VolID CDRegDate CDData1 CDAmtInWord 1201/10/2008102014521 cr. 1302/10/2008102014531 cr.
our requirement is just encrypt this data with symmetric key and decyrpt this data. Please immediate reply me. Thanks Asit Sinha
Hi - this is a repost of a question that I originally posted in Security. Ok, I'm very new to this topic. I'm working on an application that requires that some information in the db be encrypted and then decrypted when retrieved. I have everything set up and it works fine except for one thing. I can't seem to be able to pass a parameter into the sp that is used to decrypt the key. It only seems to take the string when typed in. I really think I'm missing something here. It doesn't seem all that great to have your password hard-coded into the stored procedure. Maybe I'm just screwing something up? Anyway, I can't get it to work if it looks like this:OPEN SYMMETRIC KEY Key_NameDECRYPTION BY PASSWORD = @pwdThis does work:OPEN SYMMETRIC KEY Key_NameDECRYPTION BY PASSWORD = 'password'This has to be some goof on my part right? If the db machine is compromised you're giving the keys to decrypt the data away as well - they just haver to open your stored proc. You should keep them separate imo and I hope someone can set me straight. Also, encrypting the stored procedure is an option, but it's very easy to decrypt from what I've read. Can someone help point me in the right direction? Thanks! And thanks to the mod that suggested moving this post. Any help will be appreciated.
