0
我刚刚运行以下测试,我深感困惑:对称加密密钥通过行为
我创建了一个表,如下所示:
CREATE TABLE [dbo].[enxtest](
[id] [int] NOT NULL,
[cleara] [varchar](50) NULL,
[encrypta] [varbinary](2000) NULL,
[clearb] [varchar](50) NULL,
CONSTRAINT [PK_enxtest] PRIMARY KEY CLUSTERED
(
[id] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]
GO
我用数据填充它像这样:
id | cleara | encrypta | clearb
1 | teststring!1 | NULL | NULL
2 | teststring!1 | NULL | NULL
3 | teststring!2 | NULL | NULL
4 | teststring!2 | NULL | NULL
我使用SQL Server对称密钥和证书对像这样(唯一相关的代码,SPROC内部)并插入加密值成e运行脚本以每次cleara,一个的内容进行加密ncrypta场:
OPEN SYMMETRIC KEY THIS_IS_THE_KEY
DECRYPTION BY CERTIFICATE THIS_IS_THE_CERT
CONVERT(varbinary(2000), EncryptByKey(Key_GUID('THIS_IS_THE_KEY'), cleara), 1)
然后,我们删除了数据库主密钥,对称密钥和证书以及重建他们,给予他们收到了相同的名称。我运行了一个脚本来解密varbinary,类似于上面的加密代码,并将其插入到clearb中。
该查询给我下面的结果:
SELECT id, cleara, clearb
FROM enxtest;
id | cleara | encrypta | clearb
1 | teststring!1 | NULL | teststring!1
2 | teststring!1 | NULL | teststring!1
3 | teststring!2 | NULL | teststring!2
4 | teststring!2 | NULL | teststring!2
问题:
- 这怎么可能?我期待得到clearb == clearb,但是 clearb!= cleara。我希望切换出来的键会产生 始终不正确的varchar值。
- 有没有办法将备份恢复到另一台服务器,同时保持表中的二进制数据不变,创建新的密钥可以可靠地解密该数据,使其一致但不正确(与原始的明文值)值?
编辑:这是我们分批运行的完整脚本。
--Batch 1
declare @e1 varbinary(2000);
declare @c1 varchar(50);
select @c1 = cleara from enxtest where id = 1;
exec dbo.spEncryptString @cleartextString = @c1, @encryptedString = @e1 OUTPUT;
declare @e2 varbinary(2000);
declare @c2 varchar(50);
select @c2 = cleara from enxtest where id = 2;
exec dbo.spEncryptString @cleartextString = @c2, @encryptedString = @e2 OUTPUT;
declare @e3 varbinary(2000);
declare @c3 varchar(50);
select @c3 = cleara from enxtest where id = 3;
exec dbo.spEncryptString @cleartextString = @c3, @encryptedString = @e3 OUTPUT;
declare @e4 varbinary(2000);
declare @c4 varchar(50);
select @c4 = cleara from enxtest where id = 4;
exec dbo.spEncryptString @cleartextString = @c4, @encryptedString = @e4 OUTPUT;
update enxtest
set encrypta = @e1
where id = 1;
update enxtest
set encrypta = @e2
where id = 2;
update enxtest
set encrypta = @e3
where id = 3;
update enxtest
set encrypta = @e4
where id = 4;
/*
--Batch 2
drop symmetric key THIS_IS_THE_KEY;
drop certificate THIS_IS_THE_CERT;
drop master key;
create master key encryption by password = 'somepassword';
create certificate THIS_IS_THE_CERT with subject = 'subject' expiry_date = '20161231';
create symmetric key THIS_IS_THE_KEY with algorithm = AES_256
key_source = 'source' identity_value = 'identity' encryption by certificate THIS_IS_THE_CERT;
*/
--Batch 3
declare @e1 varbinary(2000);
declare @c1 varchar(50);
select @e1 = encrypta from enxtest where id = 1;
exec dbo.spDecryptString @encryptedString = @e1, @cleartextString = @c1 OUTPUT;
declare @e2 varbinary(2000);
declare @c2 varchar(50);
select @e2 = encrypta from enxtest where id = 2;
exec dbo.spDecryptString @encryptedString = @e2, @cleartextString = @c2 OUTPUT;
declare @e3 varbinary(2000);
declare @c3 varchar(50);
select @e3 = encrypta from enxtest where id = 3;
exec dbo.spDecryptString @encryptedString = @e3, @cleartextString = @c3 OUTPUT;
declare @e4 varbinary(2000);
declare @c4 varchar(50);
select @e4 = encrypta from enxtest where id = 4;
exec dbo.spDecryptString @encryptedString = @e4, @cleartextString = @c4 OUTPUT;
update enxtest
set clearb = @c1
where id = 1;
update enxtest
set clearb = @c2
where id = 2;
update enxtest
set clearb = @c3
where id = 3;
update enxtest
set clearb = @c4
where id = 4;
--Check
select * from enxtest;
这似乎很奇怪。你有一个完整的repro脚本? –
我知道了,我会在早上发布一个修改。 – saarrrr
@BenThul我已经添加了完整的脚本,我们跑分了分批。 – saarrrr