standard regarding saving data and decrypting or saving encrypted data straight away...

there is a column (password ) in varbinary
(SQL 2012)
MASTER KEY and SYMMETRIC KEY are given.
with that, what is the best standard:

1)should you encrypt  the column(using syntax EncryptByKey(Key_GUID('SKName'), PassWordCol)) and let the programmers decrypt from stored procedures or
2)since every data access is done through stored prodcedures in this application, would you suggest not even to encrypt, and that encryption (inserts/updates) and decryption (SELECTs) both happen during DML.
LVL 5
25112Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mark ElySenior Coldfusion DeveloperCommented:
This is a fantastic question.   The best is to HASH the password not encrypt and decrypt.    Hashing is one way whereas as you implied in your question encrypting is bi-directional.  

NIST 2014 recommend SHA3 or a hashing technique such as SCrypt or BCrypt.
0
Vitor MontalvãoMSSQL Senior EngineerCommented:
You only want to encrypt a single column?
And who can see the real values from that column?
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

25112Author Commented:
yes, only one column.
  encrypt and save to disk, then a secure stored proc will use the password to call and decrypt it for the .net application. does that sound healthy way to do it?
0
Vitor MontalvãoMSSQL Senior EngineerCommented:
The native Encryption from SQL Server doesn't work with passwords but Certificates which means that if you move the database to another server you'll also need to migrate the Certificate so the data can be accessible.
If you want to restrict the access to that column for some users only they you can work with SQL Server permissions or Views.
0
25112Author Commented:
Vitor,

Right now the thinking is this way:
store it encrypted in database.
then in the proc,
call
 1)OPEN MASTER KEY DECRYPTION BY PASSWORD = '1234'  
 2)OPEN SYMMETRIC KEY ['SYMMETRIC KEY FOR CERT'] DECRYPTION BY CERTIFICATE CERTIFICATE1  
 3)select dbo.function_name(column)
 
 The function_name could be to either encrypt or descrypt. For that let's say to have two functions.
 
 One of them will do this:
      SELECT CONVERT(VARCHAR(100),DecryptByKey(column))  
     
      and other:
       SELECT EncryptByKey(Key_GUID('SYMMETRIC KEY FOR CERT'), column)  
       
       In this approach, I need to encrypt the column before all of this,right?
0
Vitor MontalvãoMSSQL Senior EngineerCommented:
You'll need to call EncryptByKey function in EVERY write (INSERT & UPDATE) and DecryptByKey in EVERY reads (SELECT).
Don't forget that the encrypted column need to be a varbinary.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server 2008

From novice to tech pro — start learning today.