Configure data access and auditing || a - i (Part - 2)

-


Example of Column level Encryption using Certificate

USE [trans_DB];
GO

-- Create database master key
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'GoodLuckWithExam!'

-- Create certificate
CREATE CERTIFICATE Cert_BAN
WITH SUBJECT = 'Bank Account Number';
GO

-- Create SMK
CREATE SYMMETRIC KEY Key_BAN
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE Cert_BAN;
GO

-- Create a column to store encrypted data
ALTER TABLE Purchasing.Suppliers
ADD EncryptedBankAccountNumber varbinary(128);
GO

-- Open the SMK to encrypt data
OPEN SYMMETRIC KEY Key_BAN
DECRYPTION BY CERTIFICATE Cert_BAN;
GO

-- Encrypt Bank Account Number
UPDATE Purchasing.Suppliers
SET EncryptedBankAccountNumber = EncryptByKey(Key_GUID('Key_BAN'),
BankAccountNumber);
GO


-- Close SMK
CLOSE SYMMETRIC KEY Key_BAN
GO
/*
Verify encryption was successful
*/

-- Query 1: Check encryption has worked
SELECT TOP 5 SupplierID, SupplierName, BankAccountNumber, EncryptedBankAccountNumber, CONVERT(NVARCHAR(50),  ecryptByKey(EncryptedBankAccountNumber)) AS DecryptedBankAccountNumber
FROM Purchasing.Suppliers
GO

-- Query 2: Open the SMK
OPEN SYMMETRIC KEY Key_BAN
DECRYPTION BY CERTIFICATE Cert_BAN;
GO

-- Query with decryption function
SELECT NationalIDNumber, EncryptedNationalIDNumber
AS 'Encrypted ID Number',
CONVERT(nvarchar, DecryptByKey(EncryptedNationalIDNumber))
AS 'Decrypted ID Number'
FROM HumanResources.Employee;


-- Close SMK
CLOSE SYMMETRIC KEY Key_BAN;
GO


Qsn)  Drawback of Column level encrypted? Also suggest work around for same?
Ans :
  • Indexes on encrypted columns are useless and consume needless resources in most cases. 
  • help improve performance in such cases, such as creating a separate column and storing the hashed value of the sensitive column and incorporating that in your queries.


Qsn) How to find out there is encrypted data in any of the user databases. Is there an easy way to determine if this is the case?

Ans :

The easiest way to determine if there is encrypted data in a database is to get that information from whoever wrote the application. 

Sometimes this is through documentation and other times it's by contacting the development team or the vendor. 

In reality, this is the only way to be completely sure. However, barring this method, there are a few things you can look for which would suggest that you have encrypted data in a given database.

SQL Server Built-In Encryption Markers :

Query the correct catalog views, we should be able to determine if built-in encryption is being used

  • Symmetric Keys:
     SELECT name, key_length, algorithm_desc, create_date, modify_date FROM sys.symmetric_keys;
  • Asymmetric Keys:
SELECT name, algorithm_desc FROM sys.asymmetric_keys;
  • Certificates:
       SELECT name, subject, start_date, expiry_date
        FROM sys.certificates

Qsn) How to check connection is encrypted?
Ans :

  • You can query the sys.dm_exec_connections dynamic management view (DMV) to see if the connections to your SQL Server is encrypted or not. 
  • If the value of encrypt_option is "TRUE" then your connection is encrypted.
SELECT session_id, encrypt_option FROM sys.dm_exec_connections

Qsn) How Check if SQL Server service has been restarted after the configuration changed?
Ans :

You can query the sys.dm_os_sys_info DMV to see when the SQL Server service has been started, just look for the sqlserver_start_time value.

SELECT sqlserver_start_time
FROM sys.dm_os_sys_info


Note :
sys.dm_os_sys_info Returns a miscellaneous set of useful information about the computer, and about the resources available to and consumed by SQL Server.


Comments

Post a Comment

Popular posts from this blog

What is DACPAC and how to use it?

-
Image
Few days before someone asked me a question about DACPAC and BACPAC. To be honest I was really not aware of it and I replied that I have heard these terms for the first time. That person replied DACPAC is used for deploying and upgrading database objects. Even after the clear statement, my reply was like developers would answer this better. Even though DBAs are responsible for migration and deployments. After few days, I got a requirement to migrate database schema (Only Schema) to another instance. In such a case most of us would have used the traditional way to script out the database objects and run the script on another instance. But what if there are many objects? I was exploring the easiest way to migrate the objects and got to know about DAC. After reading about DAC, I felt very sorry myself that I was not aware of such a simplest way of migrating and deploying database objects. I went to my friends who are senior developers and asked this question. None of them was aware ...
Read more

Backdoor in SQL server. Is this hacking, loop hole or Feature ?

-
Image
DBAs should always be ready to face any kind of disaster in SQL environment. That doesn't matter whether it is PROD or Non- PROD.  Recently I have been asked regarding recovering the sysadmin password. I couldn't understand the question hence investigated more to understand actual problem. Then I came to know that there is one SQL Server for which admin login and password is lost. I was Like seriously ? How one can be that much of irresponsible? But rather than getting into that kind of discussion I quickly got ready to help the team.  In SQL Server there is a way to access SQL Instance without login. Lets check that out. Steps : 1) Open SQL Server Configuration  Manager. 2) Right click on SQL Server service and go to Properties. 3) Go to "Startup Parameters" Tab and Add -m.   This will Start the server in Single user mode.  4) Click Apply and Ok. This change would require Service restart.  5) Once Service is restarted then, open CMD as Administrator. ...
Read more

Always on setup end to end - Part 1 || Pre-requisites

-
Image
Hello readers,  Welcome to the new blog after a long time. In this blog I would like to discuss complete end to end always on setup guide for beginners. I will be posting couple of blogs regarding always on in SQL server. I believe that would be helpful to understand Always on in SQL server in easy way. Always on setup involved multiple steps. Hence one may find it difficult. However, if you could plan it well then you may find that always on is much easier to configure and handle. So, without wasting the time lets proceed further. Firstly, we will see what is Always on in SQL Server ? Always on is the high availability and disaster recovery solution introduced in SQL server 2012. As the name suggest, Always on means availability of database all the time even in case of disaster. We can say it is the alternative of mirroring. Only thing is windows failover cluster service also required to be configured as a pre-requisite for always on. In this blog, we will only d...
Read more