Sql-server – How to successfully decrypt column data through the whole database safely

encryptionsql serversql-server-2019

We're moving to Azure SqlDb but as part of that, we're needing to migrate away from EncryptByPassPhrase as it's not supported.

As such, we tried the process on the weekend but we ran into the log filling up and the script stopping midway through.

What are my options here? There will be zero usage of the DB during the process, can/should I change the DB to simple from full recovery model temporarily? I don't really think we care about the individual transactions during the process, just the end result.

Also, given we're doing a compute intensive task – should I bump up the CPU resources temporarily to hopefully make it go faster? It took 9+ hours to fail, I'm wondering if the log interfered.

This is:

SQL 2019 (15.0.2000.5)
DB compat is 150
We've disabled all triggers/jobs during this process

Here's part of the script:

DECLARE @Password VARCHAR(255) = '<some super cool long very high entropy password here>';

SET NOCOUNT ON;

DECLARE @TestDecryption VARCHAR(255);
SELECT TOP(1)@TestDecryption = CONVERT (VARCHAR(50), DECRYPTBYPASSPHRASE (@Password, HealthNumber_Enc))
FROM Patients.Patient
WHERE ProvinceCode = 'ON'
      AND HealthNumber_Enc IS NOT NULL
ORDER BY CreateDate DESC;
PRINT 'Test: ' + @TestDecryption;

IF @TestDecryption IS NOT NULL -- this is to ensure that our password actually works
BEGIN
    ; DISABLE TRIGGER ALL ON DATABASE;

    -- systematically decrypt data in all affected tables
    UPDATE Users.Activity
    SET [Description] = ISNULL (CONVERT (VARCHAR(1000), DECRYPTBYPASSPHRASE (@Password, Description_Enc)), [Description]);
    UPDATE Users.Activity
    SET Description_Enc = NULL;

    UPDATE Contact.[Address]
    SET Address1 = ISNULL (CONVERT (VARCHAR(1000), DECRYPTBYPASSPHRASE (@Password, Address1_Enc)), Address1), Address2 = ISNULL (CONVERT (VARCHAR(1000), DECRYPTBYPASSPHRASE (@Password, Address2_Enc)), Address2), Address3 = ISNULL (CONVERT (VARCHAR(1000), DECRYPTBYPASSPHRASE (@Password, Address3_Enc)), Address3), City = ISNULL (CONVERT (VARCHAR(255), DECRYPTBYPASSPHRASE (@Password, City_Enc)), City), PostalCode = ISNULL (CONVERT (VARCHAR(20), DECRYPTBYPASSPHRASE (@Password, PostalCode_Enc)), PostalCode), Latitude = ISNULL (CONVERT (DECIMAL(9, 6), CONVERT (VARCHAR(10), DECRYPTBYPASSPHRASE (@Password, Latitude_Enc))), Latitude), Longitude = ISNULL (CONVERT (DECIMAL(9, 6), CONVERT (VARCHAR(10), DECRYPTBYPASSPHRASE (@Password, Longitude_Enc))), Longitude);
    UPDATE Contact.[Address]
    SET Address1_Enc = NULL, Address2_Enc = NULL, Address3_Enc = NULL, City_Enc = NULL, PostalCode_Enc = NULL, Latitude_Enc = NULL, Longitude_Enc = NULL

    -- Some 50 other tables after here .. 

    ;ENABLE TRIGGER ALL ON DATABASE;
END;
ELSE BEGIN
PRINT 'Test Decryption returned NULL. Will not proceed!!';
END;

Errors looked like:

Msg 9002, Level 17, State 2, Procedure TRIG_Contact_Address_UPDATE_1, Line 26 [Batch Start Line 0]
The transaction log for database 'YourExampleDb' is full due to 'LOG_BACKUP'.

Best Answer

Take more frequent log backups and/or increase the disk space available for the log files. Let it run for 48 hours over the weekend.

I don't know everything about your system but increasing CPU is unlikely to help.

Related Solutions

Mysql – Can we protect data form Database Administrator by encrypting the data

I have an old post where I discussed an actual product I was evaluating : How to properly secure MySQL database?. The product Gazzang (now Cloudera) would basically encrypt the data and the framework requires using specific keys. Even if you copied the files, the keys not being present in the target system made everything inaccessible just from an OS standpoint.

If you do not trust a DBA with the key, you may have issue specific MySQL grants to SysAdmin/DBAs: SHUTDOWN, PROCESS, SHOW DATABASES, SUPER, REPLICATION CLIENT, and REPLICATION SLAVE. All other GRANTs would need to be given to Project Leaders and Lead Developers.

As you can tell from this answer, your question makes the leap from technology to office politics. We all wish there was some 100% automated HIPAA compilance framework around a database. Until then, you would need to scrupulously define what an operational DBA can and cannot do.

SQL Server Security – Decrypt Encrypted Columns from Backup

It's possible to move a private key from one server to another, if the symmetric key was created using a certificate. The certificate is what allows you to create the same symmetric key on a different server. Looks like that is your approach so you are off to a good start. You have created a symmetric key, secured with a certificate, to encrypt a column of data. To move a symmetric key to another server, you need to follow the following process:

You need to back up the certificate and move this to the other server. To do this, use the BACKUP CERTIFICATE... WITH PRIVATE KEY command. Note that this creates two files: the certificate itself, and its private key file.
```
BACKUP CERTIFICATE sales05 TO FILE = 'c:\storedcerts\sales05cert'
WITH PRIVATE KEY ( FILE = 'c:\storedkeys\sales05key' , 
ENCRYPTION BY PASSWORD = '997jkhUbhk$w4ez0876hKHJH5gh' );
```
When you create the certificate on the destination server, you specify both the certificate file, and the private key file, along with the password you used to back up the certificate on the source server. Here is the example from MSDN:
```
CREATE CERTIFICATE Shipping11 
FROM FILE = 'c:\Shipping\Certs\Shipping11.cer' 
WITH PRIVATE KEY (FILE = 'c:\Shipping\Certs\Shipping11.pvk', 
DECRYPTION BY PASSWORD = 'sldkflk34et6gs%53#v00');
```

Once you have the private key over to the destination server, you can create a symmetric key using the certificate, and decrypt your columnar data using this.

It's not necessary to move the master database key from server to server, however, you do need to have a master database key created on each server. The master key is needed to protect the private keys internally, and to support server bare metal recovery. You don't need the master database key password to copy a certificate. It's the certificate that you need, and you should be able to access this as sysadmin, unless the certificate itself is protected locally, in which case you'd need the certificate's creation password to run the BACKUP operation above.

Best Answer

Related Solutions

Mysql – Can we protect data form Database Administrator by encrypting the data

SQL Server Security – Decrypt Encrypted Columns from Backup

Related Question