SQL2012数据库加密方法

USE master; GO -- 创建3个登陆账号 CREATE LOGIN User1 WITH password = '1', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF; CREATE LOGIN User2 WITH password = '2', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF; CREATE LOGIN User3 WITH password = '3', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF; GO CREATE DATABASE EncryptionDB; GO USE EncryptionDB; GO --创建登陆账号 CREATE USER User1 FOR LOGIN User1; CREATE USER User2 FOR LOGIN User2; CREATE USER User3 FOR LOGIN User3; GO -- 服务主密钥 USE master; GO -- 备份服务主密钥，将存储在安全的位置,该文件被加密的使用提供的密码作为密钥 BACKUP SERVICE MASTER KEY TO FILE = 'D:Dataservicemasterkey.dat' ENCRYPTION BY PASSWORD = 'SQL@2014'; --还原服务主密钥。（这是可以立即履行，由于SQL Server 会看到钥匙是相同的其实不会重新对数据进行加密。） RESTORE SERVICE MASTER KEY FROM FILE = 'd:Dataservicemasterkey.dat' DECRYPTION BY PASSWORD = 'SQL@2014'; -- 另外可使用 FORCE 选项,重新生成服务主密钥。要谨慎 !对用旧 SMK 加密的所有密钥进行都解密，然后对它们进行加密用新的密钥，这可需要大量的处理时间。不履行，除非你肯定你想要重新生成密钥. ALTER SERVICE MASTER KEY REGENERATE; -- 如果主密钥没法再生进程将检索失败，或是没法解密它加密的所有密钥。FORCE 选项强迫再生，即便数据将会丢失。 ALTER SERVICE MASTER KEY FORCE REGENERATE; -- 创建数据库主密钥 USE EncryptionDB; GO -- 数据库没有1把万能钥匙，默许情况下，所以您必须创建它,你可使用它之前： CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'DB@SQL2012'; -- 如果数据库掌握关键未使用服务主密钥，加密你必须在使用它之前将其打开： OPEN MASTER KEY DECRYPTION BY PASSWORD = 'DB@SQL2012'; --但通常这不是必要的除非您删除的加密服务主密钥 （如果它是打开，这关闭键）： ALTER MASTER KEY DROP ENCRYPTION BY SERVICE MASTER KEY; -- 可以添加服务主密钥加密： ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY; /* -- 这很有用，当将数据库移动到另外一个服务器。删除加密,之前分离，并将其添加回新的服务器上。 -- 你也能够顺便您用来创建它的密码的加密： ALTER MASTER KEY DROP ENCRYPTION BY PASSWORD = 'DB@SQL2012'; -- (如果将失败的关键是开放的由于它是如果您履行了前面的代码作为它会出现在此文件中的脚本。），然后你可以将其添加回与新的或旧的密码 ALTER MASTER KEY ADD ENCRYPTION BY PASSWORD = 'DB@SQL2012'; -- 如果已存储了密钥，要末 drop 语句将会失败。 */ -- 如果您显式打开数据库主密钥，您必须先关闭它当你完成它： CLOSE MASTER KEY; -- 数据库主密钥像服务主密钥，可以转储，并从文件中加载密钥。履行此操作之前，必须打开密钥。 BACKUP MASTER KEY TO FILE = 'd:DataEncryptionDBMasterKey.dat' ENCRYPTION BY PASSWORD = 'DB@SQL2012bak'; GO --还原数据库主密钥 RESTORE MASTER KEY FROM FILE = 'd:DataEncryptionDBMasterKey.dat' DECRYPTION BY PASSWORD = 'DB@SQL2012bak' ENCRYPTION BY PASSWORD = 'DB@SQL2012'; -- 如果您正在加载的关键是在先声明不会做任何事与现有的主机密钥相同。可使用 FORCE 选项，和如果不需要密钥, 删除它时. --DROP MASTER KEY; -- 如果主密钥保护数据库中的任何私有密钥将失败 CREATE TABLE Customer2 ( CustId int, Name nvarchar(30), City varchar(20), CreditCardType varbinary(1000) ) GO -- 授权 GRANT SELECT,INSERT on Customer2 to User1; GRANT SELECT,INSERT on Customer2 to User2; GRANT SELECT,INSERT on Customer2 to User3; GO -- 1、证书加密 -- 创建与 User1，加密与数据库相干联的证书主密钥。数据库主密钥必须已存在。请注意，你没必要显式打开主密钥，由于它加密的服务主密钥。 CREATE CERTIFICATE User1Certificate AUTHORIZATION User1 WITH subject = 'Certificate For User1'; GO -- 授权条款是可选的。给 User1 的所有权。另外可使用给予控制可使用它。 -- 为User2创建证书 CREATE CERTIFICATE User2Certificate AUTHORIZATION User2 ENCRYPTION BY PASSWORD = 'User2Password' WITH subject = 'Certificate For User2', EXPIRY_DATE = '12/31/2020'; GO --删除User2Certificate DROP CERTIFICATE User2Certificate -- 备份证书User1Certificate BACKUP CERTIFICATE User1Certificate TO FILE = 'd:DatamyCert.dat' WITH PRIVATE KEY (FILE = 'd:DatamyCertPrivateKey', ENCRYPTION BY PASSWORD = 'User1CertificatePassword'); /* -- 您也能够从文件加载证书。通常，这将是1个证书,来自受信任的证书颁发机构。 CREATE CERTIFICATE MyCertificate FROM FILE = 'd:DatamyCert.dat' WITH PRIVATE KEY (FILE = 'd:DatamyCertPrivateKey', DECRYPTION BY PASSWORD = 'User1CertificatePassword'); -- 创建证书的声明，1次只能存在于数据库。 --CREATE CERTIFICATE MyEXEcertificate FROM EXECUTABLE FILE = 'Z:SomeFile.exe' --CREATE CERTIFICATE MyNETcertificate FROM ASSEMBLY myLoadedAssembly -- 删除证书 DROP CERTIFICATE MyCertificate; */ -- 使用证书来加密数据 INSERT INTO Customer2 VALUES (1, 'Roy Wu', 'GZ', EncryptByCert(Cert_ID('User1Certificate'), 'Visa')); GO -- 查看数据。请注意 enctypted 数据的长度,其中包括签名 SELECT * FROM Customer2; /* CustId Name City CreditCardType 1 Roy Wu GZ 0xB5B4C36DD479BE908577A93D82235EE2FC23F9A5B4AF1D8FF3E91BD848AC3DD04285CCC5E93DF6E2C49840FAB74DAD913685F4B54EA89CB888B314192C9EA2643A244BD6540C18F6103258CB3BC0014BAE121572248BE725B44FB5543CEF6D732DDE950DC9435D35C4D1AD9522F20EBFAA5070C51F7BC8521FB167F68FE8D451 */ -- 解密数据 SELECT CustID, Name, City, CONVERT(VARCHAR, DecryptByCert(Cert_ID('User1Certificate'),CreditCardType)) AS CreditCardType FROM Customer2; /* CustID Name City CreditCardType 1 Roy Wu GZ Visa */ -- 不需要使用1个表来对数据进行加密时中，用法。 DECLARE @CipherText VARBINARY(500); SET @CipherText = EncryptByCert(Cert_ID('User1Certificate'), 'Secret text'); PRINT CONVERT(VARCHAR, DecryptByCert(Cert_ID('User1Certificate'),@CipherText)) ; -- 2、非对称密钥 -- 用私钥受用户-创建非对称密钥对提供的密码。 CREATE ASYMMETRIC KEY User1AsymmetricKey AUTHORIZATION User1 WITH ALGORITHM = RSA_2048 ENCRYPTION BY PASSWORD = 'User1Password1'; -- 创建另外一个数据库主密钥的保护 CREATE ASYMMETRIC KEY User2AsymmetricKey AUTHORIZATION User2 WITH ALGORITHM = RSA_2048; -- 创建由 dbo 具有的另外一种。 CREATE ASYMMETRIC KEY DBOAsymmetricKey WITH ALGORITHM = RSA_2048; INSERT INTO Customer2 VALUES (2, 'Roy_User1', 'ZG', EncryptByAsymKey(AsymKey_ID('User1AsymmetricKey'), 'MasterCard')); GO INSERT INTO Customer2 VALUES (3, 'Roy_User2', 'ZG', EncryptByAsymKey(AsymKey_ID('User2AsymmetricKey'), 'Discover')); GO -- 查看数据 SELECT * FROM Customer2 WHERE CustID > 1; /* CustId Name City CreditCardType 2 Roy_User1 ZG 0x84A8C3CDE2C46E45D770CAD909A68E9B566B6D8176D4BE7C582DCD6AF9CB15C2EF0DB3F3B13323BF69B63AE8FC864FC9DA91138DDB12AEFD4680AA5791C6F745421A4011ECA5B34B4A1AA5EB61A0BBEAA918E5EAD76A2A13E63D121DCE230F9722A036503A2D781FA9DBEA6502524437E9A62DD94C1557A97704F629687B3B1B6C061A6883D6CC87DBC84C47ADCBBB4D7B3E2BA3A20C86BC28479B93981515FCBF602A360BFDF24227A1C99CC30F3D9D88C7D42E4565DF0C098307F82469E9F17942E4EE73753E132E26F64362D4228C77FF4B1F72FA522A2318AA02AB7E1E0432BFC84F01914E244664E8FDB837056ED261E74063D85F1E4AA44C65AED99214 3 Roy_User2 ZG 0xED893EBAD6790543E6196E248853EEA0C600E7C49625857F20862F44FDCB8460E13A3A7575173A93250E72006EA6551C551FB92D0014F8FCD845BBABCCAE55CB344415169B96C80BAB7B127FDCD8E056DED2B26366AD4E6DA27F993C84C90EE37AC16CB95636DA776818ECE01EE531CD2A927EA8816167F52A40C0D7396CE46C0BBBD28226D543F0B55D3120B4BA693220D08065C9BBF3E8918016E0774DF32FC3044697E111EB1B3FDAF11B03F8CFFF23C53339E8D920781361B679759CA5C168E8D5DCAB94025F25162268259C18FC2FA4DC541A25757708C61928E0E535BDDF80A3068A483EC1C5F4F772E2F442672A7979481F9A60ED5DAF849CC9A07D9A */ -- CustID=2查看已解密的数据。必须通过在用于保护私钥的密码。 SELECT CustID, Name, City, CONVERT(VARCHAR, DecryptByAsymKey(AsymKey_ID('User1AsymmetricKey'), CreditCardType, N'User1Password1')) AS CreditCardType FROM Customer2 WHERE CustID = 2; /* CustID Name City CreditCardType 2 Roy_User1 ZG MasterCard */ -- CustID=3查看已解密的数据 SELECT CustID, Name, City, CONVERT(VARCHAR, DecryptByAsymKey(AsymKey_ID('User2AsymmetricKey'), CreditCardType)) AS CreditCardType FROM Customer2 WHERE CustID = 3; -- 试图查看解密后的数据，但 custid=3 错了钥匙。返回用于加密数据的空值。 SELECT CustID, Name, City, CONVERT(VARCHAR, DecryptByAsymKey(AsymKey_ID('User1AsymmetricKey'), CreditCardType)) AS CreditCardType FROM Customer2 WHERE CustID = 3; /* CustID Name City CreditCardType 3 Roy_User2 ZG NULL */ -- 切换登陆用户User3 EXECUTE AS LOGIN = 'User3'; GO SELECT CustID, Name, City, CONVERT(VARCHAR, DecryptByAsymKey(AsymKey_ID('User2AsymmetricKey'), CreditCardType)) AS CreditCardType FROM Customer2 WHERE CustID = 3; /* CustID Name City CreditCardType 3 Roy_User2 ZG NULL */ GO --将履行上下文切换回最后1个 EXECUTE AS 语句的调用方 REVERT; -- 函数: ASYMKEYPROPERTY，返回非对称密钥的属性。 SELECT ASYMKEYPROPERTY(AsymKey_ID('User2AsymmetricKey'), 'algorithm_desc') AS [Algorithm], ASYMKEYPROPERTY(AsymKey_ID('User2AsymmetricKey'), 'string_sid') AS StringSID, ASYMKEYPROPERTY(AsymKey_ID('User2AsymmetricKey'), 'sid') AS SID ; GO -- 算法描写只是可供扩大密钥管理密钥 -- 3、对称密钥 -- 创建1个密钥使用TRIPLE_DES受证书并将它与 User1 关联 CREATE SYMMETRIC KEY User1SymmetricKeyCert AUTHORIZATION User1 WITH ALGORITHM = TRIPLE_DES ENCRYPTION BY CERTIFICATE User1Certificate; -- 可选 IDENTITY_VALUE 生成1个 GUID 来标记数据加密密钥，让您匹配数据的关键 -- 创建使用了密码保护的TRIPLE_DES密钥并将其与User2关联 CREATE SYMMETRIC KEY User2SymmetricKeyPwd AUTHORIZATION User2 WITH ALGORITHM = TRIPLE_DES ENCRYPTION BY PASSWORD = 'User2SymmetricKeyPwd'; -- 创建1个密钥使用 TRIPLE_DES 密钥的非对称密钥并由 dbo 具有 CREATE SYMMETRIC KEY GenericSymmetricKeyAsym WITH ALGORITHM = TRIPLE_DES ENCRYPTION BY ASYMMETRIC KEY User2AsymmetricKey; -- 创建1个密钥使用 DESX 受另外一个对称密钥并由 dbo 具有 OPEN SYMMETRIC KEY User1SymmetricKeyCert DECRYPTION BY CERTIFICATE User1Certificate; CREATE SYMMETRIC KEY GenericSymmetricKeySym WITH ALGORITHM = DESX ENCRYPTION BY SYMMETRIC KEY User1SymmetricKeyCert; CLOSE SYMMETRIC KEY User1SymmetricKeyCert; -- 列出数据库中的对称密钥 SELECT * FROM sys.symmetric_keys; -- 列表(此目录视图可返回当前对话中打开的加密密钥的有关信息。) SELECT * FROM sys.openkeys; -- 插入数据，使用各种非对称密钥。如果不对称密钥,打开的没有毛病和没有插入的数据。 OPEN SYMMETRIC KEY User1SymmetricKeyCert DECRYPTION BY CERTIFICATE User1Certificate; INSERT INTO Customer2 VALUES (4, 'Roy_User4', 'GZ', EncryptByKey(Key_GUID('User1SymmetricKeyCert'), 'Amex')); CLOSE SYMMETRIC KEY User1SymmetricKeyCert; -- 可选的验证参数作为盐。必须使用相同的身份验证器来加密和解密。保护全部值替换攻击。 OPEN SYMMETRIC KEY User2SymmetricKeyPwd DECRYPTION BY PASSWORD = 'User2SymmetricKeyPwd'; INSERT INTO Customer2 VALUES (5, 'Roy_User5', 'GZ', EncryptByKey(Key_GUID('User2SymmetricKeyPwd'), 'Visa')); CLOSE SYMMETRIC KEY User2SymmetricKeyPwd; OPEN SYMMETRIC KEY GenericSymmetricKeyAsym DECRYPTION BY ASYMMETRIC KEY User2AsymmetricKey; INSERT INTO Customer2 VALUES (6, 'Roy_User6', 'GZ', EncryptByKey(Key_GUID('GenericSymmetricKeyAsym'), 'Optima')); CLOSE SYMMETRIC KEY GenericSymmetricKeyAsym; OPEN SYMMETRIC KEY User1SymmetricKeyCert DECRYPTION BY CERTIFICATE User1Certificate; OPEN SYMMETRIC KEY GenericSymmetricKeySym DECRYPTION BY SYMMETRIC KEY User1SymmetricKeyCert; INSERT INTO Customer2 VALUES (7, 'Roy_User7', 'GZ', EncryptByKey(Key_GUID('GenericSymmetricKeySym'), 'Wal-Mart')); CLOSE SYMMETRIC KEY GenericSymmetricKeySym; CLOSE SYMMETRIC KEY User1SymmetricKeyCert; -- 查看CustID>=4数扰 SELECT * FROM Customer2 WHERE CustID >= 4; /* 4 Roy_User4 GZ 0x003FDE0600B08541922D500213AE5E4501000000DE3B49C60040D6634118C754D7AC7291FC3C40C081DF90B1 5 Roy_User5 GZ 0x00ECC30427979944B6FAFAC9A00FB69D01000000893D664F157C21FF293F15C21C5696973AE687B993081CDE 6 Roy_User6 GZ 0x002B1FA92A111D4D9571BA68B05503B6010000005336FDD3DD1E33BDE404B32893A0850BEFD01A8ABE6527EA 7 Roy_User7 GZ 0x008772F0C5181F428D82A52CE7ED05BB010000008301BD1387E1D6D5BC80F0EE8F9868EC7C01EF8A743BCE96D0A5E8741C91866D */ -- 查看的数据。请注意，您没必要指定用来解密数据，即便多个对称密钥可以打开的键。 OPEN SYMMETRIC KEY User1SymmetricKeyCert DECRYPTION BY CERTIFICATE User1Certificate; SELECT CustID, Name, City, CONVERT(VARCHAR, DecryptByKey(CreditCardType)) AS CreditCardType FROM Customer2 WHERE CustID = 4; CLOSE SYMMETRIC KEY User1SymmetricKeyCert; /* CustID Name City CreditCardType 4 Roy_User4 GZ Amex */ OPEN SYMMETRIC KEY User2SymmetricKeyPwd DECRYPTION BY PASSWORD = 'User2SymmetricKeyPwd'; SELECT CustID, Name, City, CONVERT(VARCHAR, DecryptByKey(CreditCardType)) AS CreditCardType FROM Customer2 WHERE CustID = 5; CLOSE SYMMETRIC KEY User2SymmetricKeyPwd; /* CustID Name City CreditCardType 5 Roy_User5 GZ Visa */ OPEN SYMMETRIC KEY GenericSymmetricKeyAsym DECRYPTION BY ASYMMETRIC KEY User2AsymmetricKey; SELECT CustID, Name, City, CONVERT(VARCHAR, DecryptByKey(CreditCardType)) AS CreditCardType FROM Customer2 WHERE CustID = 6; CLOSE SYMMETRIC KEY GenericSymmetricKeyAsym; /* CustID Name City CreditCardType 6 Roy_User6 GZ Optima */ OPEN SYMMETRIC KEY User1SymmetricKeyCert DECRYPTION BY CERTIFICATE User1Certificate; OPEN SYMMETRIC KEY GenericSymmetricKeySym DECRYPTION BY SYMMETRIC KEY User1SymmetricKeyCert; SELECT CustID, Name, City, CONVERT(VARCHAR, DecryptByKey(CreditCardType)) AS CreditCardType FROM Customer2 WHERE CustID = 7; CLOSE SYMMETRIC KEY GenericSymmetricKeySym; CLOSE SYMMETRIC KEY User1SymmetricKeyCert; /* CustID Name City CreditCardType 7 Roy_User7 GZ Wal-Mart */ -- 查看表数据 SELECT * FROM Customer2; /* 1 Roy Wu GZ 0xB5B4C36DD479BE908577A93D82235EE2FC23F9A5B4AF1D8FF3E91BD848AC3DD04285CCC5E93DF6E2C49840FAB74DAD913685F4B54EA89CB888B314192C9EA2643A244BD6540C18F6103258CB3BC0014BAE121572248BE725B44FB5543CEF6D732DDE950DC9435D35C4D1AD9522F20EBFAA5070C51F7BC8521FB167F68FE8D451 2 Roy_User1 ZG 0x84A8C3CDE2C46E45D770CAD909A68E9B566B6D8176D4BE7C582DCD6AF9CB15C2EF0DB3F3B13323BF69B63AE8FC864FC9DA91138DDB12AEFD4680AA5791C6F745421A4011ECA5B34B4A1AA5EB61A0BBEAA918E5EAD76A2A13E63D121DCE230F9722A036503A2D781FA9DBEA6502524437E9A62DD94C1557A97704F629687B3B1B6C061A6883D6CC87DBC84C47ADCBBB4D7B3E2BA3A20C86BC28479B93981515FCBF602A360BFDF24227A1C99CC30F3D9D88C7D42E4565DF0C098307F82469E9F17942E4EE73753E132E26F64362D4228C77FF4B1F72FA522A2318AA02AB7E1E0432BFC84F01914E244664E8FDB837056ED261E74063D85F1E4AA44C65AED99214 3 Roy_User2 ZG 0xED893EBAD6790543E6196E248853EEA0C600E7C49625857F20862F44FDCB8460E13A3A7575173A93250E72006EA6551C551FB92D0014F8FCD845BBABCCAE55CB344415169B96C80BAB7B127FDCD8E056DED2B26366AD4E6DA27F993C84C90EE37AC16CB95636DA776818ECE01EE531CD2A927EA8816167F52A40C0D7396CE46C0BBBD28226D543F0B55D3120B4BA693220D08065C9BBF3E8918016E0774DF32FC3044697E111EB1B3FDAF11B03F8CFFF23C53339E8D920781361B679759CA5C168E8D5DCAB94025F25162268259C18FC2FA4DC541A25757708C61928E0E535BDDF80A3068A483EC1C5F4F772E2F442672A7979481F9A60ED5DAF849CC9A07D9A 4 Roy_User4 GZ 0x003FDE0600B08541922D500213AE5E4501000000DE3B49C60040D6634118C754D7AC7291FC3C40C081DF90B1 5 Roy_User5 GZ 0x00ECC30427979944B6FAFAC9A00FB69D01000000893D664F157C21FF293F15C21C5696973AE687B993081CDE 6 Roy_User6 GZ 0x002B1FA92A111D4D9571BA68B05503B6010000005336FDD3DD1E33BDE404B32893A0850BEFD01A8ABE6527EA 7 Roy_User7 GZ 0x008772F0C5181F428D82A52CE7ED05BB010000008301BD1387E1D6D5BC80F0EE8F9868EC7C01EF8A743BCE96D0A5E8741C91866D */ /*联机查看函数：EncryptByKey 用法( key_GUID , { 'cleartext' | @cleartext } [, { add_authenticator | @add_authenticator } , { authenticator | @authenticator } ] ) */ -- 打开对称密钥有本钱。所以你可以测试是不是为（运行与无打开关键语句） 的关键是开放： OPEN SYMMETRIC KEY User1SymmetricKeyCert DECRYPTION BY CERTIFICATE User1Certificate; IF NOT EXISTS( SELECT 1 FROM sys.openkeys WHERE key_name = 'User1SymmetricKeyCert' AND database_name = db_Name() ) PRINT 'Key is not open' ELSE PRINT 'Key is open'; GO CLOSE SYMMETRIC KEY User1SymmetricKeyCert; -- 如果密钥是由证书或非对称密钥的 protectedy，可使用 DecryptByKeyAutoCert 或 DecryptByKeyAutoAsymKey 作为1个快捷方式。只是如有必要，请打开对称密钥。另外到 SQL Server 2005 后初始版本 -- 证书: SELECT CustID, Name, City, CONVERT(VARCHAR, DecryptByKeyAutoCert(cert_id('User1Certificate'), NULL, CreditCardType)) AS CreditCardType FROM Customer2 WHERE CustID = 4; -- 非对称密钥: SELECT CustID, Name, City, CONVERT(VARCHAR, DecryptByKeyAutoAsymKey(AsymKey_ID('User2AsymmetricKey'), NULL, CreditCardType)) AS CreditCardType FROM Customer2 WHERE CustID = 6; --函数: SYMKEYPROPERTY -- 检查的关键属性，但只为 EKM 键 SELECT SYMKEYPROPERTY(Key_ID('GenericSymmetricKeySym'), 'algorithm_desc') AS Algorithm, SYMKEYPROPERTY(Key_ID('GenericSymmetricKeySym'), 'string_sid') AS String_SID, SYMKEYPROPERTY(Key_ID('GenericSymmetricKeySym'), 'sid') AS SID; GO -- New T-SQL function: KEY_NAME -- Return name of key from GUID or cipher text SELECT KEY_NAME(Key_GUID('User1SymmetricKeyCert')); SELECT KEY_NAME(CreditCardType) FROM Customer2 WHERE CustId = 6; -- 删除测试登陆账号 DROP LOGIN User1; DROP LOGIN User2; DROP LOGIN User3; USE master; GO DROP DATABASE EncryptionDB;