SQL Server Encryption – Implications of Changing from TRIPLE_DES to AES_128

encryptionsql serversql-server-2008symmetric-key

As title asks, what are implications for changing encryption from TRIPLE_DES to AES_128?

I have an older database I've been tasked with hardening, and I need to updated the algorithm used for encryption on it.

Running this query:

SELECT name, key_length, algorithm_desc, create_date, modify_date FROM
sys.symmetric_keys;

returns a result with theh name: ##MS_ServiceMasterKey##, using the TRIPLE_DES algorithm.

I didn't find any asymmetric keys used any of the database on this server.

Thanks for any help!

Best Answer

As title asks, what are implications for changing encryption from TRIPLE_DES to AES_128?

The title is actually quite misleading. Changing from a symmetric to asymmetric key in of itself doesn't change too much, potentially the amount of processing power in order to encrypt or decrypt the key and associated data.

... returns a result with theh name: ##MS_ServiceMasterKey##, using the TRIPLE_DES algorithm.

This is a the SMK or Service Master Key for the instance and can't have the algorithm type changed. This is where the additional context is key, because currently there isn't anything you can do to change it except upgrade to a newer version. You're using sql-server-2008 which has about 9 months of extended support left (July 2019) and is over a decade old - in terms of cryptography that's quite the lifetime. Newer versions of SQL Server, starting with 2012 use AES for the Service Master Key (SMK).

I need to updated the algorithm used for encryption on it.

Your only option, in this case, is to upgrade to something made in this decade (2012+).

Related Solutions

Sql-server – Why “Select * into targettable from sourcetable “ is faster than “insert into targettable select * from sourcetable

A couple of ideas/theories:

SELECT INTO... lets the RDBMS determine sort order based on order of your original table. If you insert into an existing table, there may be a sort needed to match a clustered or nonclustered index(es).

No Indexes - when you SELECT INTO... the RDBMS knows for certain there are no pre-existing indexes to update.

No Contention - since the table you are inserting into does not exist, SQL Server doesn't need to worry about row-level locking or contention handling. Nothing else can reference the table you create since it doesn't exist.

All that being said, there are other ways to insert into a table very quickly.

Make sure your clustered index keys match when possible. This means there is no on-the-fly sorting
Disable all non-clustered indexes. Self-explanatory.
Set recovery mode to simple and trace flag 610 to ON. Use the TABLOCK hint on your target table and NOLOCK hint on your source table.

For example, assume tablea and tableb have the same clustered index:

INSERT INTO TableB WITH (TABLOCK)
SELECT <Columns>
FROM TableA WITH (NOLOCK)

In my experience this is faster than using SELECT INTO... and then creating the clustered index afterwards. Please note this can also work on a table that already has data in it which is a much more useful scenario.

EDIT:

Here's a fantastically detailed whitepaper from MS for data load performance in Sql Server 2008.

SQL Server 2008 – Decrypting Previously Encrypted Data Returns NULL

This sounds like a case where the key_guid in the encrypted data does not match the key_guid for the symmetric key used to encrypt it.

When data is encrypted using a symmetric key and is then saved in a varbinary column, the first 16 bytes are the Key_guid of the symmetric key used to encrypt the data, which explains how DECRYPTBYKEYAUTOCERT can automatically locate the correct symmetric key.

Can you run the script below and verify that this is the case? And, did you encrypt and decrypt the data using the same database?

select 
    name,cast(key_guid as varbinary(max))
from sys.symmetric_keys
where
    name ='key_dbKeys'

select distinct table.data from table
where 
    table.data is not null

After attempting to recreate the problem, there could be a problem opening the symmetric key prior to inserting the data or, after reviewing the documentation for DECRYPTBYKEYAUTOCERT, you need to cast the return, which is varbinary, to varchar. I'm also posting the working script that is based on what you have developed. I had to use a different password.

declare  @clean_data varchar(100)

set  @clean_data='Hello World'

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@ssword!';

CREATE CERTIFICATE cert_dbKeys
   ENCRYPTION BY PASSWORD = 'P@ssword!'
   WITH SUBJECT = 'Database encryption key', 
   EXPIRY_DATE = '20201031';

CREATE SYMMETRIC KEY key_dbKeys 
   WITH ALGORITHM = AES_128
   ENCRYPTION BY CERTIFICATE cert_dbKeys;
create table EncryptedData
( secretmessage varbinary(max))

OPEN SYMMETRIC KEY key_dbKeys
DECRYPTION BY CERTIFICATE cert_dbKeys WITH PASSWORD = 'P@ssword!'

insert into EncryptedData (secretmessage) values(EncryptByKey(Key_GUID('key_dbKeys'), @clean_data))

CLOSE SYMMETRIC KEY key_dbKeys;

SELECT cast(DecryptByKeyAutoCert(cert_id('cert_dbKeys'), N'P@ssword!', secretmessage) as varchar(100)) FROM EncryptedData

Best Answer

Related Solutions

Sql-server – Why “Select * into targettable from sourcetable “ is faster than “insert into targettable select * from sourcetable

SQL Server 2008 – Decrypting Previously Encrypted Data Returns NULL

Related Question