加密數(shù)據(jù)
并不是每一種數(shù)據(jù)類型都可以使用EncryptByKey函數(shù)加密����。有效的數(shù)據(jù)類型是nvarchar���、char���、wchar����、varchar和 nchar。表或視圖中常備查詢的列不應(yīng)加密����,因?yàn)榻饷艽罅繒?huì)被一再查詢的數(shù)據(jù)的過程通常會(huì)得不償失。加密數(shù)據(jù)之前��,必須打開將執(zhí)行加密過程的密鑰。數(shù)據(jù)通常手對(duì)稱密鑰保護(hù)����,而對(duì)稱密鑰又受到非對(duì)稱密鑰對(duì)保護(hù)。如果對(duì)稱密鑰手密碼保護(hù)���,那么對(duì)對(duì)稱密鑰和密碼有ALTER 權(quán)限的用戶都可以打開和關(guān)閉對(duì)稱密鑰��。如果對(duì)稱密鑰由一個(gè)非對(duì)稱密鑰或證書保護(hù)��,用戶還需要擁有對(duì)非對(duì)稱密鑰或證書上的CONTROL權(quán)限
- ALTER TABLE Sales.CreditCard ADD EncryptedCardNumber varbinary(128); GO
-
- OPEN SYMMETRIC KEY SalesKey1 DECRYPTION BY CERTIFICATE SalesCert WITH PASSWORD='P@ssw0rd'
-
- UPDATE Sales.CreditCard SET EncryptedCardNumber=EncryptByKey(Key_GUID('SalesKey1'),CardNumber); GO CLSE SYMMETRIC KEY SalesKey1; GO
-
- ALTER TABLE Sales.CreditCard ADD DecryptedCardNumber NVARCHAR(25); GO
-
- OPEN SYMMETRIC KEY SalesKey1 DECRYPTION BY CERTIFICATE SalesCert WITH PASSWORD='P@ssw0rd'; GO
-
- UPDATE Sales.CreditCard SET DecryptedCardNumber=DecryptByKey(EncryptedCardNumber); GO
-
- CLOSE SYMMETRIC KEY SalesKey1; GO
-
- Select TOP(10) CreditCardID, CardNumber AS Original, EncryptedCardNumber AS Encrypted, DecryptedCardnumber AS Decrypted FROM Sales.CreditCard; GO
不過���,可以在SELECT語(yǔ)句中至此那個(gè)DecryptByKey函數(shù)來查看為加密的數(shù)據(jù)
- OPEN SYMMETRIC KEY SalesKey1 DECRYPTION BY CERTIFICATE SalesCert WITH PASSWORD='P@ssw0rd'; GO
-
- SELECT CreditCardID, CardNumber, EncryptedCardNumber AS 'Encrypted Card Number', CONVERT(nvarchar, DecryptByKey(EncryptedCardNumber))
- AS 'Decrypted Card Number' FROM Sales.CreditCard; GO
-
- CLOSE SYMMETRIC KEY SalesKey1;
透明數(shù)據(jù)加密
SQL Server 2008的另一項(xiàng)新工能是透明數(shù)據(jù)加密(TDE,Transparent Data Encryption)。TDE被設(shè)計(jì)為針對(duì)啟用了TDE的數(shù)據(jù)庫(kù)或事務(wù)日志文件�,使用數(shù)據(jù)庫(kù)加密密鑰(DEK,Database Encryption Key)執(zhí)行實(shí)時(shí)IO加密。TDE的好處是它保護(hù)處于休眠狀態(tài)的所有數(shù)據(jù)����。這意味著當(dāng)前未讀入內(nèi)存的數(shù)據(jù)都是用DEK保護(hù)。不過�,當(dāng)查詢運(yùn)行時(shí),從查詢檢索的數(shù)據(jù)將在被讀入內(nèi)存時(shí)解密����。與使用對(duì)稱和非對(duì)稱密鑰解密單個(gè)表或列中的數(shù)據(jù)不同����,在讀或?qū)懯躎DE保護(hù)的數(shù)據(jù)庫(kù)中的表時(shí)����,不必調(diào)用解密函數(shù)。
設(shè)置TDE比其他加密方法要復(fù)雜些��,因?yàn)樵趩⒂盟坝幸恍l件必須滿足:首先���,master數(shù)據(jù)庫(kù)中必須有一個(gè)數(shù)據(jù)庫(kù)主密鑰;其次��,必須在 master數(shù)據(jù)庫(kù)中創(chuàng)建或安裝一個(gè)可用于加密DEK的證書�����,或者可以使用EKM提供程序的非對(duì)稱密鑰;然后�,需要在將加密的數(shù)據(jù)庫(kù)中創(chuàng)建DEK���,最后,在數(shù)據(jù)庫(kù)中啟用加密�。
- USE master CREATE MASTER KEY ENCRYPTION BY PASSWORD='MyStrongP@ssw0rd'; GO
- CREATE CERTIFICATE AughtEightTDE WITH SUBJECT='TDE Certificate for the AUGHTEIGHT Server'; GO
- USE AdventureWorks2008 CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM=TRIPLE_DES_3KEY ENCRYPTION BY SERVER CERTIFICATE AughtEightTDE; GO
- ALTER DATABASE AdventureWorks2008 SET ENCRYPTION ON; GO
