Question on Encrypted Database keys/passwords

  • Quick question more for informational CYA than anything else (I.E., I don't want to do this, I just want to make sure it can't be done).

    Is it possible to read (in clear text) or decrypt the password for an encrypted database key from the Windows Server registry?

    I know people try to do this all the time (find passwords for things that they shouldn't have access to) and a quick Google search doesn't come up with any links. So I'm posting here in hopes someone can give me the warm fuzzy "No" that I'm looking for. Or to warn me that "yes, it can be" so I can go back to my peeps and look for a solution to lock down this particular hole if it exists.

    Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

  • Hi, short answer no. On Windows level there is only Service Master Key which is protected by Windows DPAPI, this key is used by default to protect master key in master db and probably only hash of master key password is stored in db so you can only brute force it.

    https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-2017

  • Is it what you're looking for?

     

    https://simonmcauliffe.com/technology/tde/

     

    _____________
    Code for TallyGenerator

  • Just talking to an AD expert yesterday after I presented a session on SQLi. Evidently there is a "golden ticket" in AD that unlocks the kingdom. Without that, the answer is a very hard NO. I don't have the details on the issue. Track down David Posthlewait.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • Wow...

    Thanks, everyone. I appreciate the references. This makes this even harder because I just found out corporate DBAs will have the password to the account that will own the keys and I need to figure out how to prevent them from using that account to log into our servers / databases and grabbing PII.

    Grrr. Not looking forward to this conversation.

    Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply