Download eBook (PDF) - Red Gate Software

4 – Encryption Basics for SQL Serverthese private keys cannot be decrypted outside of the database unless thedatabase master key is also provided.Asymmetric keys and certificates are used to protect the other private keys,symmetric keys and data contained within the database. The symmetric keyswithin the database are used to protect other symmetric keys as well as datawithin the database. This inner dependency provides a level of security that ismuch more resistant to unauthorized access.Service Master KeyThe Service Master Key is encrypted using the machine key from the WindowsData Protection API (DPAPI), using the password of the Windows ServiceAccount credentials of the server in which the SQL Server instance is installed.When an instance of SQL Server is installed, and its service is started for thefirst time, the service master key is created. There can be only one servicemaster key per instance.The catalog view sys.symmetric_keys can be used to verify the servicemaster key's existence, as shown in Listing 4-1. The service master key isidentified with the name ##MS_ServiceMasterKey##.USE master;GOSELECT * FROM SYS.SYMMETRIC_KEYS;GOListing 4-1: Querying the symmetric_keys catalog view for the service masterkey.The service master key is often used to provide protection to other keys withina database. It is also a critical component of the Transparent Data Encryption(TDE) feature of SQL Server 2008.Database Master KeyThis key is unique to each database within the SQL Server instance. If an itemis encrypted using the database master key, it cannot be decrypted outside ofthat database. The database master key is not automatically generated when adatabase is created, instead it is created using the CREATE MASTER KEYcommand, as shown in Listing 4-2.86