SQL Server 2008 Encryption Keys

The SQL Server encryption model includes built-in encryption key management patterned after the ANSI X9.17 standard. This standard defines several layers of encryption keys, which are used to encrypt other keys, which in turn are used to encrypt actual data. The layers of encryption keys defined by the ANSI X9.17 standard.

The service master key (SMK) is the top-level key, the granddaddy of all SQL Server keys. There is a single SMK defined for each instance of SQL Server 2008. The SMK is secured by the Windows Data Protection API (DPAPI), and it is used to encrypt the next layer of keys, the database master keys (DMKs). The SMK is automatically created by SQL Server the first time it is needed. DMKs are used to encrypt symmetric keys, asymmetric keys, and certificates. Each database can have a single DMK defined for it.

The next layer of keys includes symmetric keys, asymmetric keys, and certificates. Symmetric keys are the primary means of encrypting data in the database. While asymmetric keys and certificates can be used to encrypt data, Microsoft recommends that you encrypt data exclusively with symmetric keys.

In addition to all the keys and certificates previously supported by SQL Server 2005, SQL Server 2008 introduces the concept of server certificates and database encryption keys in support of the new transparent data encryption functionality. The server certificate is simply a certificate created in the master database. The database encryption key is a special symmetric key used to encrypt an entire database at once.

The ANSI X9.17 standard is the “Financial Institution Key Management (Wholesale)” standard. This standard defines methods for securely storing and transferring encryption keys, an area of encryption that has been the subject of debate and research throughout the field of cryptography for decades. Encryption key management is not easy. After all, modern encryption theory has only one primary mandate: the security of a system lies with the encryption key. No matter how secure the algorithm you use to encrypt your data, if your encryption key is not properly secured, your data can be easily compromised. SQL Server’s encryption key management is built on top of the secure Data Protection API (DPAPI), making it as secure as possible on a computer that runs Windows.

Source of Information : Apress Accelerated SQL Server 2008


Subscribe to Developer Techno ?
Enter your email address:

Delivered by FeedBurner