Embed Size (px)
DESCRIPTION
rrr
Citation preview
CHAPTER 4MANAGING SECURITY
LAB 4.4 – ENCRYPTING DATA
Estimated time to complete this lab: 45 minutes
Data that must remain confidential, even from a user that has SELECT permission on a table, should be encrypted. In this lab you learn about the encryption infrastructure provided by SQL Server 2008 and how to apply encryption to your data.
Lab ObjectivesAfter completing this lab, students will be able to:
Hash Data Encrypt Data with a Passphrase Encrypt Data with a Symmetric Key Encrypt Data with a Certificate Implement TDE
Lab ProceduresA. Hashing Data
In this exercise, you compare a hash algorithm for encrypting data.1. Execute the following code and compare the results for each hash
algorithm:DECLARE @Hash varchar(100)SELECT @Hash = 'Encrypted Text'SELECT HashBytes('MD5', @Hash)SELECT @Hash = 'Encrypted Text'SELECT HashBytes('SHA', @Hash)
2. Execute the following code and note that the hash algorithm is case-sensitive:DECLARE @Hash varchar(100)SELECT @Hash = 'encrypted text'SELECT HashBytes('SHA1', @Hash)SELECT @Hash = 'ENCRYPTED TEXT'SELECT HashBytes('SHA1', @Hash)
B. Encrypting Data with a PassphraseIn this exercise, you use a passphrase to encrypt data.1. Execute the following code and compare the results of the passphrase
encryption:DECLARE @EncryptedText VARBINARY(80)SELECT @EncryptedText =
Encrypting Data 4.4-1
EncryptByPassphrase('<EnterStrongPasswordHere>','Encrypted Text')SELECT @EncryptedText,CAST(DecryptByPassPhrase('<EnterStrongPasswordHere>',@EncryptedText)AS VARCHAR(MAX))
C. Encrypting Data with a Symmetric KeyIn this exercise, you create a symmetric key to encrypt data.1. Execute the following code in the AdventureWorks database to create a
symmetric key:CREATE SYMMETRIC KEY TestSymmetricKey WITH ALGORITHM = RC4ENCRYPTION BY PASSWORD = '<EnterStrongPasswordHere>'SELECT * FROM sys.symmetric_keys
2. Execute the following code to open the symmetric key:OPEN SYMMETRIC KEY TestSymmetricKeyDECRYPTION BY PASSWORD = '<EnterStrongPasswordHere>'
3. Execute the following code to view the data encrypted with the symmetric key:DECLARE @EncryptedText VARBINARY(80)SELECT @EncryptedText =EncryptByKey(Key_GUID('TestSymmetricKey'),'Encrypted Text')SELECT @EncryptedText, CAST(DecryptByKey(@EncryptedText) AS VARCHAR(30))
4. Execute the following code to close the symmetric key:CLOSE SYMMETRIC KEY TestSymmetricKeyGO
D. Encrypting Data with a CertificateIn this exercise, you create and use a certificate to encrypt data so that users cannot view data they do not have permission to access.1. Execute the following code to create a test table, two users, and
permissions:CREATE TABLE dbo.CertificateEncryption(ID INT IDENTITY(1,1),SalesRep VARCHAR(30) NOT NULL,SalesLead VARBINARY(500) NOT NULL)GOCREATE USER SalesRep1 WITHOUT LOGINGOCREATE USER SalesRep2 WITHOUT LOGINGOGRANT SELECT, INSERT ON dbo.CertificateEncryption TO SalesRep1GRANT SELECT, INSERT ON dbo.CertificateEncryption TO SalesRep2GO
Encrypting Data 4.4-2
2. Create a certificate for each user as follows:CREATE CERTIFICATE SalesRep1Cert AUTHORIZATION SalesRep1WITH SUBJECT = 'SalesRep 1 certificate'GOCREATE CERTIFICATE SalesRep2Cert AUTHORIZATION SalesRep2WITH SUBJECT = 'SalesRep 2 certificate'GOSELECT * FROM sys.certificatesGO
3. Insert data for each user as follows:EXECUTE AS USER='SalesRep1'GOINSERT INTO dbo.CertificateEncryption(SalesRep, SalesLead)VALUES('SalesRep1',EncryptByCert(Cert_ID('SalesRep1Cert'), 'Fabrikam'))REVERTGOEXECUTE AS USER='SalesRep2'GOINSERT INTO dbo.CertificateEncryption(SalesRep, SalesLead)VALUES('SalesRep2',EncryptByCert(Cert_ID('SalesRep2Cert'), 'Contoso'))REVERTGO
4. Review the contents of the table, as well as for each user, as follows:SELECT ID, SalesRep, SalesLeadFROM dbo.CertificateEncryptionGOEXECUTE AS USER='SalesRep1'GOSELECT ID, SalesRep, SalesLead,CAST(DecryptByCert(Cert_Id('SalesRep1Cert'), SalesLead)AS VARCHAR(MAX))FROM dbo.CertificateEncryptionREVERTGOEXECUTE AS USER='SalesRep2'GOSELECT ID, SalesRep, SalesLead,CAST(DecryptByCert(Cert_Id('SalesRep2Cert'), SalesLead)AS VARCHAR(MAX))FROM dbo.CertificateEncryptionREVERTGO
E. Implementing TDEIn this exercise, you implement TDE for the AdventureWorks database.1. Create a master key and certificate in the master database as follows:
USE masterGOCREATE MASTER KEY ENCRYPTION BY PASSWORD = '<EnterStrongPasswordHere>'GO
Encrypting Data 4.4-3
CREATE CERTIFICATE ServerCert WITH SUBJECT = 'My Server Cert for TDE'GO
2. Back up the certificate and private key to a file to ensure recoverability as follows:BACKUP CERTIFICATE ServerCert TO FILE = 'C:\Program Files\MicrosoftSQL Server\MSSQL10.MSSQLSERVER\MSSQL\Backup\servercert.cer'WITH PRIVATE KEY (FILE = 'C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Backup\servercert.key',ENCRYPTION BY PASSWORD = '<EnterStrongPasswordHere>')
3. Create a database encryption key for the AdventureWorks database as follows:USE AdventureWorksGOCREATE DATABASE ENCRYPTION KEYWITH ALGORITHM = AES_128ENCRYPTION BY SERVER CERTIFICATE ServerCertGO
4. Enable encryption for the AdventureWorks database:ALTER DATABASE AdventureWorksSET ENCRYPTION ONGO
Encrypting Data 4.4-4
