Best Practise to store Database Master Key

I have two questions here :
1)  I wanted to know wht are the best practices for storing the Database Master Key that is used for encrypting the database.  The vendor suggested us to store the password for database masterkey on a piece of paper and keep the paper at a secure location, which I didnt agree with?  Just taking a backup of the key on a flash drive is betteR? How would you argue the hard copy is bad?

2) Application connecting to back end sql server access encrypted data, where should the encryption keys be stored as a best practice...definitely not coded in the application that is wrong. One solution I thought was to store it in the registry of sql server, which gets decrypted when the application with appropriate user credentials connects to the sql server . any suggestion are welcome
pdollAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JimBrandleyCommented:
I would say paper is fine if you have nothing of importance in the database. Otherwise, fire, spilled liquids and accidental destruction can leave you without it.

I think your idea of storing it in the registry is fine, providing an electronic copy is made and stored at the same location as your backups. Then if someone needs to change the password, it will be saved with the next backup. In the event your server is destroyed, you will be able to recreate your database and add the registry key as a part of the same process. That also protects you from someone who might gain access to the server and accidentally or maliciously use Regedit to alter or destroy the value in that key.

Jim
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eRescuerCommented:
1) Hardcopy is good. It a) con not be accessed electronically b) have a better chances to survive disaster (ask archeologists ;). Just don't consider your place secure, use bank vault. If the information is really important, think about split-knowledge technique and using two or more separated safes with restricted access to them.

2) The security is always goes with cost. If you think that chances of insider attack are low, your way is fine. You might need better technique for CSP zeroization.

However, if your information is very valuable, think about hardware solution like TPM
http://en.wikipedia.org/wiki/Trusted_Platform_Module
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server 2005

From novice to tech pro — start learning today.