SQL 通过对称密钥进行服务器加密 (AES_256)

SQL Server Encryption via symmetric keys (AES_256)

我正在阅读有关数据库(SQL 服务器)中的加密的内容,并偶然发现了一篇 MS 文章(https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/encrypt-a-column-of-data?view=sql-server-2017

在文章中,他们创建了一个主密钥,然后使用 AES_256 算法创建了一个证书,然后 encrypted/decrypted 通过上述证书创建了数据。

但只要密钥和证书都在同一个数据库服务器中,任何可以访问该服务器的人都可以随时解密数据。那么安全在哪里呢?我可能没有正确理解它,所以将其张贴在这里以获得在数据库端使用加密和保护密钥的正确想法。

我关注了以下查询。

CREATE MASTER KEY ENCRYPTION BY  PASSWORD = '<some strong password>';
Go 

CREATE CERTIFICATE Sales09  
   WITH SUBJECT = 'Customer Credit Card Numbers';  
GO  

CREATE SYMMETRIC KEY CreditCards_Key11  
    WITH ALGORITHM = AES_256  
    ENCRYPTION BY CERTIFICATE Sales09;  
GO  

-- Create a column in which to store the encrypted data.  
ALTER TABLE Sales.CreditCard   
    ADD CardNumber_Encrypted varbinary(128);   
GO  

-- Open the symmetric key with which to encrypt the data.  
OPEN SYMMETRIC KEY CreditCards_Key11  
   DECRYPTION BY CERTIFICATE Sales09;  

-- Encrypt the value in column CardNumber using the  
-- symmetric key CreditCards_Key11.  
-- Save the result in column CardNumber_Encrypted.    
UPDATE Sales.CreditCard  
SET CardNumber_Encrypted = EncryptByKey(Key_GUID('CreditCards_Key11')  
    , CardNumber, 1, HashBytes('SHA1', CONVERT( varbinary  
    , CreditCardID)));  
GO  

-- Verify the encryption.  
-- First, open the symmetric key with which to decrypt the data.  

OPEN SYMMETRIC KEY CreditCards_Key11  
   DECRYPTION BY CERTIFICATE Sales09;  
GO  

-- Now list the original card number, the encrypted card number,  
-- and the decrypted ciphertext. If the decryption worked,  
-- the original number will match the decrypted number.  

SELECT CardNumber, CardNumber_Encrypted   
    AS 'Encrypted card number', CONVERT(nvarchar,  
    DecryptByKey(CardNumber_Encrypted, 1 ,   
    HashBytes('SHA1', CONVERT(varbinary, CreditCardID))))  
    AS 'Decrypted card number' FROM Sales.CreditCard;  
GO  

在与微软人员讨论后,我得到了满足我需要的以下文章。 https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-2017#how-it-works

参考:https://github.com/MicrosoftDocs/sql-docs/issues/2673