Best Practise to store Database Master Key

Posted on 2008-01-28
Medium Priority
Last Modified: 2008-09-19
I have two questions here :
1)  I wanted to know wht are the best practices for storing the Database Master Key that is used for encrypting the database.  The vendor suggested us to store the password for database masterkey on a piece of paper and keep the paper at a secure location, which I didnt agree with?  Just taking a backup of the key on a flash drive is betteR? How would you argue the hard copy is bad?

2) Application connecting to back end sql server access encrypted data, where should the encryption keys be stored as a best practice...definitely not coded in the application that is wrong. One solution I thought was to store it in the registry of sql server, which gets decrypted when the application with appropriate user credentials connects to the sql server . any suggestion are welcome
Question by:pdoll
LVL 22

Accepted Solution

JimBrandley earned 1000 total points
ID: 20765009
I would say paper is fine if you have nothing of importance in the database. Otherwise, fire, spilled liquids and accidental destruction can leave you without it.

I think your idea of storing it in the registry is fine, providing an electronic copy is made and stored at the same location as your backups. Then if someone needs to change the password, it will be saved with the next backup. In the event your server is destroyed, you will be able to recreate your database and add the registry key as a part of the same process. That also protects you from someone who might gain access to the server and accidentally or maliciously use Regedit to alter or destroy the value in that key.


Assisted Solution

eRescuer earned 1000 total points
ID: 20979961
1) Hardcopy is good. It a) con not be accessed electronically b) have a better chances to survive disaster (ask archeologists ;). Just don't consider your place secure, use bank vault. If the information is really important, think about split-knowledge technique and using two or more separated safes with restricted access to them.

2) The security is always goes with cost. If you think that chances of insider attack are low, your way is fine. You might need better technique for CSP zeroization.

However, if your information is very valuable, think about hardware solution like TPM

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It's not just another paperwork submission. Serious planning and rigour to managing the whole thought processes need to be put in place. The intent is not on drilling into the details, but to share tips in getting the first thing right to kick-start…
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question