standard regarding saving data and decrypting or saving encrypted data straight away...

there is a column (password ) in varbinary
(SQL 2012)
MASTER KEY and SYMMETRIC KEY are given.
with that, what is the best standard:

1)should you encrypt  the column(using syntax EncryptByKey(Key_GUID('SKName'), PassWordCol)) and let the programmers decrypt from stored procedures or
2)since every data access is done through stored prodcedures in this application, would you suggest not even to encrypt, and that encryption (inserts/updates) and decryption (SELECTs) both happen during DML.
LVL 5
25112Asked:
Who is Participating?
 
Vitor MontalvãoMSSQL Senior EngineerCommented:
You'll need to call EncryptByKey function in EVERY write (INSERT & UPDATE) and DecryptByKey in EVERY reads (SELECT).
Don't forget that the encrypted column need to be a varbinary.
0
 
Mark ElySenior Coldfusion DeveloperCommented:
This is a fantastic question.   The best is to HASH the password not encrypt and decrypt.    Hashing is one way whereas as you implied in your question encrypting is bi-directional.  

NIST 2014 recommend SHA3 or a hashing technique such as SCrypt or BCrypt.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Vitor MontalvãoMSSQL Senior EngineerCommented:
You only want to encrypt a single column?
And who can see the real values from that column?
0
 
25112Author Commented:
yes, only one column.
  encrypt and save to disk, then a secure stored proc will use the password to call and decrypt it for the .net application. does that sound healthy way to do it?
0
 
Vitor MontalvãoMSSQL Senior EngineerCommented:
The native Encryption from SQL Server doesn't work with passwords but Certificates which means that if you move the database to another server you'll also need to migrate the Certificate so the data can be accessible.
If you want to restrict the access to that column for some users only they you can work with SQL Server permissions or Views.
0
 
25112Author Commented:
Vitor,

Right now the thinking is this way:
store it encrypted in database.
then in the proc,
call
 1)OPEN MASTER KEY DECRYPTION BY PASSWORD = '1234'  
 2)OPEN SYMMETRIC KEY ['SYMMETRIC KEY FOR CERT'] DECRYPTION BY CERTIFICATE CERTIFICATE1  
 3)select dbo.function_name(column)
 
 The function_name could be to either encrypt or descrypt. For that let's say to have two functions.
 
 One of them will do this:
      SELECT CONVERT(VARCHAR(100),DecryptByKey(column))  
     
      and other:
       SELECT EncryptByKey(Key_GUID('SYMMETRIC KEY FOR CERT'), column)  
       
       In this approach, I need to encrypt the column before all of this,right?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.