SQL Server 2005: Comments about cryptographic keys and their encryptions


I want to collect here some basic facts about the encryptions of the various cryptographic keys in SQL Server 2005:


 – a database master key (DbMK) must always have at least one password encryption, but it can have more than one. Also, by default, the DbMK has a second encryption using the service master key (SMK). Encryptions of the DbMK are managed using ALTER MASTER KEY <…> ADD/DROP ENCRYPTION BY <…>.


 – a certificate can have the private key either encrypted by a password or encrypted by the DbMK. A certificate is protected by only one encryption at a time. The encryption method for the private key can be changed using ALTER CERTIFICATE <…> WITH PRIVATE KEY (DECRYPTION BY/ENCRYPTION BY PASSWORD = <…>). For example, if a certificate’s private key is protected by the DbMK and we want to use a password instead, we can use:


   ALTER CERTIFICATE cert_name WITH PRIVATE KEY (ENCRYPTION BY PASSWORD = password)


If we want to switch back to the DbMK encryption, we can issue:


   ALTER CERTIFICATE cert_name WITH PRIVATE KEY (DECRYPTION BY PASSWORD = password)


 – an asymmetric key works like a certificate.


 – a symmetric key can have multiple encryptions by passwords, asymmetric keys, or certificates. The only restriction here is that there must be at least one encryption.


Update (12/07/2005): I omitted to specify that symmetric keys can be encrypted also by other symmetric keys and that they cannot be encrypted using the database master key. 

Comments (2)

  1. saud says:

    can you create multiple symmetric keys with the same encryption

  2. Yes, two distinct symmetric keys can have the same encryption. For example, the same certificate could encrypt two different symmetric keys.