I am using the following PowerShell code to create a certificate that can be used as Column Master Key for Always Encrypted feature:
New-SelfSignedCertificate -Subject "AlwaysEncryptedSecurityLevelNormalV001" -CertStoreLocation Cert:LocalMachineMy -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048 -NotAfter (Get-Date).AddYears(100)
Then I export the certificate and import it into the machine where the SQL Server is running. During the export I am disabling the option to export the certificate private key. So, if one try to export it, he/she will get the following:
This is nice because the certificate private key is protected for export.
I am wondering is there any cases where I may need to export only the certificate without the privet key in the context of Always Encrypted feature (as the work of this certificate it to protect the column encryption keys only) ?
Best Answer
That defeats the purpose of using Always Encrypted if the server that is running SQL Server also has the certificate to decrypt all the data.
Please, please, please don't do this! Put it on the client machine or a "tools" or "intermediate loading" machine to get the data in and out. Then remove the key and keep it only on the client machines that are locked down.
I'd also keep, in the back of your mind, a solution for when a client machine is lost/stolen/breached (laptop), or a server is compromised. How do you find out, how long do you have to rotate CMKs, do you know how to rotate CMKs, etc.
The private key is what keeps everything safe, so no private key then no decryption. I can't think of any times when this would be useful.