Posted by Erland Sommarskog on 12/11/05 12:07

Christopher Browne (cbbrowne@acm.org) writes:
> If risk to be mitigated is that you do not wish to trust the system
> administrators with the data, then you must not give the keys to any
> component that system administrators can control.
>
> That obviously includes the database engine.

In SQL 2005, all keys requires a password to open them. The password does
have to be known by the admin staff.

However, since there is no protection again brute-force attacks, an admin
that wants to crack the key, can easily do so. Sniffing the passwords sent
over the wire can also be done, although the connection may be encrypted.

Despite these weaknesses, one should write of this sort of encryption
suppport as entirely useless. First, there is the trivial case that the
person who wants to proect the data, is actually the sole admin himself.

But assume the case of a corporate server, and there is data in one
database which is sensitive and you don't want the admin to see, for
instance the column employees.salary. No matter, if the column is
encrypted or not, the admin is breaching his instructions if he looks
at that data. But if the column is unencrypted, he may peak at it by
mistake, because he needs to troubleshoot some other problem with that
table. If the column is encrypted, and he does not have the password,
there is no dispute that he is tresspassing where he shouldn't, and
if his deeds are revealed, he would be fired on the spot.


--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

[Back to original message]