创建对称密钥的证书或密码 [英] Certificate or Password in creating symmetric key

问题描述

我想加密生产中表格的一列。为此，我有如下脚本。但我很困惑，如果我应该使用证书来加密对称密钥或密码。证书将需要一些维护它的成本。





CREATE SYMMETRIC KEY XYZConfigTableKey

WITH ALGORITHM = TRIPLE_DES，

KEY_SOURCE ='ConfigValtricKey'，

IDENTITY_VALUE ='ConfiSymmetricKey'

证书加密MWSEncryptCertificate





OR





CREATE SYMMETRIC KEY XYZConfigTableKey

WITH ALGORITHM = TRIPLE_DES，
KEY_SOURCE ='ConfigValtricKey'，

IDENTITY_VALUE ='ConfiSymmetricKey'

通过PASSWORD加密='xysjj'

I want to encrypt a column of a table in production. For that I have the script as below.But I am confused if I should use certificate to encrypt the symmetric key or a Password.As certificate will involve some cost in maintaining it.


CREATE SYMMETRIC KEY XYZConfigTableKey
WITH ALGORITHM = TRIPLE_DES ,
KEY_SOURCE = 'ConfigValtricKey',
IDENTITY_VALUE = 'ConfiSymmetricKey'
ENCRYPTION BY CERTIFICATE MWSEncryptCertificate


OR


CREATE SYMMETRIC KEY XYZConfigTableKey
WITH ALGORITHM = TRIPLE_DES ,
KEY_SOURCE = 'ConfigValtricKey',
IDENTITY_VALUE = 'ConfiSymmetricKey'
ENCRYPTION BY PASSWORD ='xysjj'

推荐答案

从根本上说，它们都是相同的 - 要访问数据，您需要密码或附加到证书的私钥（取决于您选择的选项）



可以认为证书私钥更难以分享 - 你可以标记私钥不可出口


证书，本身并不比维护密码贵，IFF你不关心认证链（我猜你提到成本与得到反对签名的东西有关） thawte / verisign等？）



您可以在Windows服务器下启动证书颁发机构，创建您自己的根证书并按需颁发客户端证书 - 最终用户将需要在受信任的根容器中安装根证书的副本 - 或者您可以使用自签名证书



证书是关于识别和签名/加密的东西 - 证书 - 连锁店都相信一个你以前从未见过的证书持有人身份，因为它已经被你信任的人证明了

they're both, fundamentally, the same - to access the data, you either need the password, or the private key attached to the cert (depending which option you choose)

it could be argued that the cert private key is more 'troublesome' to share around - you could mark the private key non-exportable

certificates, per-se, aren't more expensive than passwords to maintain, IFF you don't care about the certification chain (i'm guessing your mention of cost is to do with getting something counter-signed by thawte/verisign etc.?)

you can spin up a Certification Authority under windows server, create your own root cert and issues client certs on demand - the end user would need a copy of your root cert installed in their Trusted Root container - or you can use self-signed certs

Certs are about identification & signing/encrypting stuff - cert-chains are about believing a cert holders identity you've never seen before because it's been proven by someone you trust

这篇关于创建对称密钥的证书或密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！