0
我剛剛運行以下測試,我深感困惑:對稱加密密鑰通過行爲
我創建了一個表,如下所示:
CREATE TABLE [dbo].[enxtest](
[id] [int] NOT NULL,
[cleara] [varchar](50) NULL,
[encrypta] [varbinary](2000) NULL,
[clearb] [varchar](50) NULL,
CONSTRAINT [PK_enxtest] PRIMARY KEY CLUSTERED
(
[id] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]
GO
我用數據填充它像這樣:
id | cleara | encrypta | clearb
1 | teststring!1 | NULL | NULL
2 | teststring!1 | NULL | NULL
3 | teststring!2 | NULL | NULL
4 | teststring!2 | NULL | NULL
我使用SQL Server對稱密鑰和證書對像這樣(唯一相關的代碼,SPROC內部)並插入加密值成e運行腳本以每次cleara,一個的內容進行加密ncrypta場:
OPEN SYMMETRIC KEY THIS_IS_THE_KEY
DECRYPTION BY CERTIFICATE THIS_IS_THE_CERT
CONVERT(varbinary(2000), EncryptByKey(Key_GUID('THIS_IS_THE_KEY'), cleara), 1)
然後,我們刪除了數據庫主密鑰,對稱密鑰和證書以及重建他們,給予他們收到了相同的名稱。我運行了一個腳本來解密varbinary,類似於上面的加密代碼,並將其插入到clearb中。
該查詢給我下面的結果:
SELECT id, cleara, clearb
FROM enxtest;
id | cleara | encrypta | clearb
1 | teststring!1 | NULL | teststring!1
2 | teststring!1 | NULL | teststring!1
3 | teststring!2 | NULL | teststring!2
4 | teststring!2 | NULL | teststring!2
問題:
- 這怎麼可能?我期待得到clearb == clearb,但是 clearb!= cleara。我希望切換出來的鍵會產生 始終不正確的varchar值。
- 有沒有辦法將備份恢復到另一臺服務器,同時保持表中的二進制數據不變,創建新的密鑰可以可靠地解密該數據,使其一致但不正確(與原始的明文值)值?
編輯:這是我們分批運行的完整腳本。
--Batch 1
declare @e1 varbinary(2000);
declare @c1 varchar(50);
select @c1 = cleara from enxtest where id = 1;
exec dbo.spEncryptString @cleartextString = @c1, @encryptedString = @e1 OUTPUT;
declare @e2 varbinary(2000);
declare @c2 varchar(50);
select @c2 = cleara from enxtest where id = 2;
exec dbo.spEncryptString @cleartextString = @c2, @encryptedString = @e2 OUTPUT;
declare @e3 varbinary(2000);
declare @c3 varchar(50);
select @c3 = cleara from enxtest where id = 3;
exec dbo.spEncryptString @cleartextString = @c3, @encryptedString = @e3 OUTPUT;
declare @e4 varbinary(2000);
declare @c4 varchar(50);
select @c4 = cleara from enxtest where id = 4;
exec dbo.spEncryptString @cleartextString = @c4, @encryptedString = @e4 OUTPUT;
update enxtest
set encrypta = @e1
where id = 1;
update enxtest
set encrypta = @e2
where id = 2;
update enxtest
set encrypta = @e3
where id = 3;
update enxtest
set encrypta = @e4
where id = 4;
/*
--Batch 2
drop symmetric key THIS_IS_THE_KEY;
drop certificate THIS_IS_THE_CERT;
drop master key;
create master key encryption by password = 'somepassword';
create certificate THIS_IS_THE_CERT with subject = 'subject' expiry_date = '20161231';
create symmetric key THIS_IS_THE_KEY with algorithm = AES_256
key_source = 'source' identity_value = 'identity' encryption by certificate THIS_IS_THE_CERT;
*/
--Batch 3
declare @e1 varbinary(2000);
declare @c1 varchar(50);
select @e1 = encrypta from enxtest where id = 1;
exec dbo.spDecryptString @encryptedString = @e1, @cleartextString = @c1 OUTPUT;
declare @e2 varbinary(2000);
declare @c2 varchar(50);
select @e2 = encrypta from enxtest where id = 2;
exec dbo.spDecryptString @encryptedString = @e2, @cleartextString = @c2 OUTPUT;
declare @e3 varbinary(2000);
declare @c3 varchar(50);
select @e3 = encrypta from enxtest where id = 3;
exec dbo.spDecryptString @encryptedString = @e3, @cleartextString = @c3 OUTPUT;
declare @e4 varbinary(2000);
declare @c4 varchar(50);
select @e4 = encrypta from enxtest where id = 4;
exec dbo.spDecryptString @encryptedString = @e4, @cleartextString = @c4 OUTPUT;
update enxtest
set clearb = @c1
where id = 1;
update enxtest
set clearb = @c2
where id = 2;
update enxtest
set clearb = @c3
where id = 3;
update enxtest
set clearb = @c4
where id = 4;
--Check
select * from enxtest;
這似乎很奇怪。你有一個完整的repro腳本? –
我知道了,我會在早上發佈一個修改。 – saarrrr
@BenThul我已經添加了完整的腳本,我們跑分了分批。 – saarrrr