SQL Server Remote Blob Storage (RBS) Credential Store Symmetric Key Rotation

The SQL Server team would like to advise RBS admins on security procedures for rotating the credential store symmetric key. If a provider requires the setup and use of a secret stored within the credential store (see related article), RBS uses this symmetric key to encrypt any provider secrets which a client may request to gain authorization to the provider’s blob store. Currently there are a couple of security challenges: 1) RBS 2014 and prior versions use a credential store which holds secrets encrypted using the TRIPLE_DES symmetric key algorithm which is outdated and not as strong as it should be and 2) There is no recommended way to rotate this symmetric key. It is highly recommended that if you are currently using TRIPLE_DES then you should follow steps in this article to strengthen your key. One may also want to rotate this key if there are security policies in place to periodically rotate keys or if the policy requires certain encryption strength properties (e.g., algorithm or key length) with which the current symmetric key does not adhere.

Note that RBS2016 will no longer use a credential store symmetric key that uses the TRIPLE_DES option. It will instead use AES_128 which addresses the first issue in the paragraph above. It's also worth noting that SQL Server 2016 will not even allow you to create a TRIPLE_DES symmetric key when using compatibility mode 130.

One can determine the RBS credential store symmetric key properties by issuing the following T-SQL query on the RBS database:

 

SELECT * FROM sys.symmetric_keys WHERE name = 'mssqlrbs_encryption_skey';

  

If the output from the above statement shows that TRIPLE_DES is still used, then it is advised to rotate this key.

To rotate the RBS credential store symmetric key, one may use the attached script on the RBS database. Do backup your database prior to key rotation. At the script’s conclusion, it has some verification steps.

If security policies require different key properties (e.g., algorithm or key length) from the ones provided, then the script may be used as a template for modification at one’s own risk. One would need to simply change the key properties in two places: 1) the creation of the temporary key 2) the creation of the permanent key.

The RBS credential store symmetric key rotation script is as follows:

  

IF EXISTS (SELECT * FROM sys.procedures WHERE name = 'sp_rotate_rbs_symmetric_credential_key')

BEGIN

       DROP PROC sp_rotate_rbs_symmetric_credential_key;

END

 

/* This stored procedure will replace the currently used RBS credential store

symmetric key with one of your choosing. One may want to do this if there is

a security policy requiring periodic key rotation or if there are specific

algorithm requirements, for example. In this stored procedure, a symmetric

key using AES_256 will replace the current one. As a result of the symmetric

key replacement, secrets need to be re-encrypted with the new key. This stored

procedure will also re-encrypt the secrets. The database should be backed up

prior to key rotation. */

CREATE PROC sp_rotate_rbs_symmetric_credential_key

AS

BEGIN

BEGIN TRANSACTION;

BEGIN TRY

CLOSE ALL SYMMETRIC KEYS;

 

/* Prove that all secrets can be re-encrypted, by creating a

temporary key (#mssqlrbs_encryption_skey) and create a

temp table (#myTable) to hold the re-encrypted secrets. 

Check to see if all re-encryption worked before moving on.*/

CREATE TABLE #myTable(sql_user_sid VARBINARY(85) NOT NULL,

    blob_store_id SMALLINT NOT NULL,

    credential_name NVARCHAR(256) COLLATE Latin1_General_BIN2 NOT NULL,

    old_secret VARBINARY(MAX), -- holds secrets while existing symmetric key is deleted

    credential_secret VARBINARY(MAX)); -- holds secrets with the new permanent symmetric key

 

/* Create a new temporary symmetric key with which the credential store secrets

can be re-encrypted. These will be used once the existing symmetric key is deleted.*/

CREATE SYMMETRIC KEY #mssqlrbs_encryption_skey 

    WITH ALGORITHM = AES_256 ENCRYPTION BY

    CERTIFICATE [cert_mssqlrbs_encryption];

 

OPEN SYMMETRIC KEY #mssqlrbs_encryption_skey 

    DECRYPTION BY CERTIFICATE [cert_mssqlrbs_encryption];

 

INSERT INTO #myTable

    SELECT cred_store.sql_user_sid, cred_store.blob_store_id, cred_store.credential_name,

    encryptbykey(

        key_guid('#mssqlrbs_encryption_skey'),

        decryptbykeyautocert(cert_id('cert_mssqlrbs_encryption'),

            NULL, cred_store.credential_secret)

        ),

    NULL

    FROM [mssqlrbs_resources].[rbs_internal_blob_store_credentials] AS cred_store;

 

IF( EXISTS(SELECT * FROM #myTable WHERE old_secret IS NULL))

BEGIN

    PRINT 'Abort. Failed to read some values';

    SELECT * FROM #myTable;

    ROLLBACK;

END;

ELSE

BEGIN

/* Re-encryption worked, so go ahead and drop the existing RBS credential store

symmetric key and replace it with a new symmetric key.*/

DROP SYMMETRIC KEY [mssqlrbs_encryption_skey];

 

CREATE SYMMETRIC KEY [mssqlrbs_encryption_skey]

WITH ALGORITHM = AES_256

ENCRYPTION BY CERTIFICATE [cert_mssqlrbs_encryption];

 

OPEN SYMMETRIC KEY [mssqlrbs_encryption_skey]

DECRYPTION BY CERTIFICATE [cert_mssqlrbs_encryption];

 

/*Re-encrypt using the new permanent symmetric key. 

Verify if encryption provided a result*/

UPDATE #myTable

SET [credential_secret] =

    encryptbykey(key_guid('mssqlrbs_encryption_skey'), decryptbykey(old_secret))

 

IF( EXISTS(SELECT * FROM #myTable WHERE credential_secret IS NULL))

BEGIN

    PRINT 'Aborted. Failed to re-encrypt some values'

    SELECT * FROM #myTable

    ROLLBACK

END

ELSE

BEGIN

 

/* Replace the actual RBS credential store secrets with the newly

encrypted secrets stored in the temp table #myTable.*/

SET NOCOUNT ON;

DECLARE @sql_user_sid varbinary(85);

DECLARE @blob_store_id smallint;

DECLARE @credential_name varchar(256);

DECLARE @credential_secret varbinary(256);

DECLARE curSecretValue CURSOR

    FOR SELECT sql_user_sid, blob_store_id, credential_name, credential_secret

FROM #myTable ORDER BY sql_user_sid, blob_store_id, credential_name;

 

OPEN curSecretValue;

FETCH NEXT FROM curSecretValue

    INTO @sql_user_sid, @blob_store_id, @credential_name, @credential_secret

WHILE @@FETCH_STATUS = 0

BEGIN

    UPDATE [mssqlrbs_resources].[rbs_internal_blob_store_credentials]

        SET [credential_secret] = @credential_secret

        FROM [mssqlrbs_resources].[rbs_internal_blob_store_credentials]

        WHERE sql_user_sid = @sql_user_sid AND blob_store_id = @blob_store_id AND

            credential_name = @credential_name

FETCH NEXT FROM curSecretValue

    INTO @sql_user_sid, @blob_store_id, @credential_name, @credential_secret

END

CLOSE curSecretValue

DEALLOCATE curSecretValue

 

DROP TABLE #myTable;

CLOSE ALL SYMMETRIC KEYS;

DROP SYMMETRIC KEY #mssqlrbs_encryption_skey;

 

/* Verify that you can decrypt all encrypted credential store entries using the certificate.*/

IF( EXISTS(SELECT * FROM [mssqlrbs_resources].[rbs_internal_blob_store_credentials]

WHERE decryptbykeyautocert(cert_id('cert_mssqlrbs_encryption'),

    NULL, credential_secret) IS NULL))

BEGIN

    print 'Aborted. Failed to verify key rotation'

    ROLLBACK;

END;

ELSE

    COMMIT;

END;

END;

END TRY

BEGIN CATCH

     PRINT 'Exception caught: ' + cast(ERROR_NUMBER() as nvarchar) + ' ' + ERROR_MESSAGE();

     ROLLBACK

END CATCH

END;

GO

 

/* Rotate the RBS credential store symmetric key, and notice that the secrets

remain the same despite the key rotation. */

SELECT *, decryptbykeyautocert(cert_id('cert_mssqlrbs_encryption'), NULL, credential_secret)

FROM [mssqlrbs_resources].[rbs_internal_blob_store_credentials];

 

EXEC sp_rotate_rbs_symmetric_credential_key;

 

SELECT *, decryptbykeyautocert(cert_id('cert_mssqlrbs_encryption'), NULL, credential_secret)

FROM [mssqlrbs_resources].[rbs_internal_blob_store_credentials];

 

/* See that the RBS credential store symmetric key properties reflect the new changes*/

SELECT * FROM sys.symmetric_keys WHERE name = 'mssqlrbs_encryption_skey';

 

Related Articles: https://blogs.msdn.com/b/sqlrbs/archive/2010/08/05/rbs-security-model.aspx

RBS 2016 Documentation: https://msdn.microsoft.com/en-us/library/gg638709.aspx