I have created database master key. Then I have created asymmetric key:
CREATE ASYMMETRIC KEY smGK_АSymmetricKey_01
WITH ALGORITHM = RSA_512
In the documentation is said, that:
PASSWORD = 'password'
Specifies the password with which to encrypt the
private key. If this clause is not present, the private key will be
encrypted with the database master key.
So, the key should be encrypted with the database master key. Then, why the following is not working:
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'mypass'
SELECT [Email], ASYMKEY_ID('smGK_АSymmetricKey_01'), EncryptByAsymKey(AsymKey_ID('smGK_АSymmetricKey_01'), [Email])
FROM myTable
CLOSE MASTER KEY
and returns NULL
for the second and the third column.
Also, why the EncryptByAsymKey
and DeCryptByAsymKey
functions works with the same key ID? I think that when asymmetric key is used, I will grant to specific users to control the public key and to be able to decrypt data and other user to control the private key and to be the only one who can read it?
If this is not the case and only one group of users will be able to encrypt – decrypt the data, then as the example here, there is no logical difference between the two type of keys (only in terms of performance).
Note:
Best Answer
The
AsymKey_ID
function is returningNULL
because it cannot find that particular Asymmetric Key. I also got aNULL
until I prefixed the literal string with anN
. So the following should work:The root cause of this issue is that you have a character in the key name that does not cleanly translate into ASCII (for the Code Page used by the default Collation of the Database that this is running in). In order to see the issue more clearly, run the following:
Now that we know which character is causing the issue, we can copy/paste it by itself into the
UNICODE()
built-in function to see its value, and converting that decimal value into binary/hex will give us the Code Point (remember to include theN
prefix on the literal so that it doesn't get translated into "?"):We can then look up that Code Point at http://unicode-table.com/en/0410/ to see that it is "Cyrillic Capital Letter A". This means that a second solution to this issue is to drop and recreate the Asymmetric Key with a Latin Capital "A" (i.e.
CHAR(65)
) as that would not require theN
prefix on the string literal.ALSO, you do not need the
OPEN MASTER KEY...
/CLOSE MASTER KEY
statements, at least not to encrypt with an Asymmetric Key; the single statement shown above will work without the Open and Close. Not sure about when using DECRYPTBYASYMKEY. The Open / Close is needed, however, with a Symmetric Key.These two functions use the same AsymKeyID because that is how they are supposed to work. "Controlling" a public key does not make sense because it is "public". The whole idea is that knowledge of the "public" key does not hurt you because it cannot be used to decrypt the data. This is why people sometimes put their PGP public key in their email signature (or at least used to). This allows for anyone to encrypt data so that only those who have the "private" key will be able to read it. This is why you don't need an open Key or even specify a password when encrypting via ENCRYPTBYASYMKEY. Also, the
public_key
column insys.asymmetric_keys
is available to anyone who can SELECT from that system catalog view.Again, anyone (who has rights to see the key **) can encrypt, but only those with access to the password of either the Database Master Key OR the Asymmetric Key itself (depending on which one the Asymmetric Key was protected with) will be able to decrypt. So you do have separation.
There is also a rather large difference between Symmetric and Asymmetric encyption, besides Symmetric being much faster than Asymmetric:
Symmetric encryption is vulnerable to "Whole-value substitution" attacks. The following example is taken from the MSDN page for ENCRYPTBYKEY:
** The O.P. pointed out in a comment on this answer that Users need meta-data visibility rights to an Asymmetric Key in order to see it and use it. This can be done by:
being granted any of the Asymmetric Key permissions on a particular Asymmetric Key:
Please see the MSDN page for GRANT Asymmetric Key Permissions for full details.
Not having such rights would be another possible reason for the
ASYMKEY_ID
built-in function returningNULL
. And because Asymmetric Keys can be "hidden" from Users, the ability to encrypt using one or more keys can be prohibited.