加密數(shù)據(jù)
并不是每一種數(shù)據(jù)類型都可以使用EncryptByKey函數(shù)加密��。有效的數(shù)據(jù)類型是nvarchar��、char�����、wchar���、varchar和 nchar���。表或視圖中常備查詢的列不應(yīng)加密,因為解密大量會被一再查詢的數(shù)據(jù)的過程通常會得不償失��。加密數(shù)據(jù)之前,必須打開將執(zhí)行加密過程的密鑰���。數(shù)據(jù)通常手對稱密鑰保護����,而對稱密鑰又受到非對稱密鑰對保護�。如果對稱密鑰手密碼保護,那么對對稱密鑰和密碼有ALTER 權(quán)限的用戶都可以打開和關(guān)閉對稱密鑰��。如果對稱密鑰由一個非對稱密鑰或證書保護�,用戶還需要擁有對非對稱密鑰或證書上的CONTROL權(quán)限
- ALTER TABLE Sales.CreditCard ADD EncryptedCardNumber varbinary(128); GO
-
- OPEN SYMMETRIC KEY SalesKey1 DECRYPTION BY CERTIFICATE SalesCert WITH PASSWORD='P@ssw0rd'
-
- UPDATE Sales.CreditCard SET EncryptedCardNumber=EncryptByKey(Key_GUID('SalesKey1'),CardNumber); GO CLSE SYMMETRIC KEY SalesKey1; GO
-
- ALTER TABLE Sales.CreditCard ADD DecryptedCardNumber NVARCHAR(25); GO
-
- OPEN SYMMETRIC KEY SalesKey1 DECRYPTION BY CERTIFICATE SalesCert WITH PASSWORD='P@ssw0rd'; GO
-
- UPDATE Sales.CreditCard SET DecryptedCardNumber=DecryptByKey(EncryptedCardNumber); GO
-
- CLOSE SYMMETRIC KEY SalesKey1; GO
-
- Select TOP(10) CreditCardID, CardNumber AS Original, EncryptedCardNumber AS Encrypted, DecryptedCardnumber AS Decrypted FROM Sales.CreditCard; GO
不過��,可以在SELECT語句中至此那個DecryptByKey函數(shù)來查看為加密的數(shù)據(jù)
- OPEN SYMMETRIC KEY SalesKey1 DECRYPTION BY CERTIFICATE SalesCert WITH PASSWORD='P@ssw0rd'; GO
-
- SELECT CreditCardID, CardNumber, EncryptedCardNumber AS 'Encrypted Card Number', CONVERT(nvarchar, DecryptByKey(EncryptedCardNumber))
- AS 'Decrypted Card Number' FROM Sales.CreditCard; GO
-
- CLOSE SYMMETRIC KEY SalesKey1;
透明數(shù)據(jù)加密
SQL Server 2008的另一項新工能是透明數(shù)據(jù)加密(TDE,Transparent Data Encryption)�。TDE被設(shè)計為針對啟用了TDE的數(shù)據(jù)庫或事務(wù)日志文件,使用數(shù)據(jù)庫加密密鑰(DEK,Database Encryption Key)執(zhí)行實時IO加密���。TDE的好處是它保護處于休眠狀態(tài)的所有數(shù)據(jù)�。這意味著當(dāng)前未讀入內(nèi)存的數(shù)據(jù)都是用DEK保護�����。不過���,當(dāng)查詢運行時�����,從查詢檢索的數(shù)據(jù)將在被讀入內(nèi)存時解密����。與使用對稱和非對稱密鑰解密單個表或列中的數(shù)據(jù)不同,在讀或?qū)懯躎DE保護的數(shù)據(jù)庫中的表時�,不必調(diào)用解密函數(shù)。
設(shè)置TDE比其他加密方法要復(fù)雜些�����,因為在啟用它之前有一些條件必須滿足:首先�,master數(shù)據(jù)庫中必須有一個數(shù)據(jù)庫主密鑰;其次,必須在 master數(shù)據(jù)庫中創(chuàng)建或安裝一個可用于加密DEK的證書�,或者可以使用EKM提供程序的非對稱密鑰;然后,需要在將加密的數(shù)據(jù)庫中創(chuàng)建DEK���,最后���,在數(shù)據(jù)庫中啟用加密。
- USE master CREATE MASTER KEY ENCRYPTION BY PASSWORD='MyStrongP@ssw0rd'; GO
- CREATE CERTIFICATE AughtEightTDE WITH SUBJECT='TDE Certificate for the AUGHTEIGHT Server'; GO
- USE AdventureWorks2008 CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM=TRIPLE_DES_3KEY ENCRYPTION BY SERVER CERTIFICATE AughtEightTDE; GO
- ALTER DATABASE AdventureWorks2008 SET ENCRYPTION ON; GO
