We are implementing PCI (Payment Card Industry) and one thing that is required is that we change our encryption keys once a year or when a key custodian leaves. The only way that I have seen to do that is to decrypt all the encrypted data, drop and recreate the symmetric key, the certificate, and database master key, and then re-encrypt the data.
Is there any way to just change the password on the database master key? I understand that if the actual symmetric keys have been breached, that would not be enough, but for routine maintenance, just changing the password on the database master key would seem to be enough.
I have looked and looked, but have not found anyone else that is doing this type of thing. Maybe I am just not looking in the right places. Can anyone offer some guidance? Thank!!!
Jim Youmans
You can regenerate the database master keys (DbMK) using the REGENERATE clause of the ALTER statement. This only re-encrypts the keys encrypted by the DbMK, not the entire set of encrypted data. It is also possible to change the password of a master key; you can have in fact multiple password encryptions of a master key, so you can add a new password encryption and drop the old one.
You can also change the certificate encrypting a key - just encrypt the key with a new certificate and then drop the encryption done with the old certificate.
If you actually want to change the key that encrypts the data, then there is no other way than by decrypting the data and re-encrypting it with a new key.
Thanks
Laurentiu
Thank you so much!!!
Jim Youmans
No comments:
Post a Comment