EncryptbyPassPhrase

Question

Post reply

EncryptbyPassPhrase

Steve Jones - SSC Editor

SSC Guru

Points: 736150
More actions
February 24, 2016 at 10:21 pm

#325062

Comments posted to this topic are about the item EncryptbyPassPhrase
February 24, 2016 at 11:04 pm

This was removed by the editor as SPAM

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic. Login to reply

Ed Wagner SSC Guru Points: 287026 More actions · Answer 1

Interesting. At least they picked well. Thanks, Steve.

Tally Tables - Performance Personified
String Splitting with True Performance
Best practices on how to ask questions

webrunner SSC-Dedicated Points: 31858 More actions · Answer 2

Thanks for the question. I didn't know that.

- webrunner

-------------------
A SQL query walks into a bar and sees two tables. He walks up to them and asks, "Can I join you?"
Ref.: http://tkyte.blogspot.com/2009/02/sql-joke.html

zgardiner 4991 SSC-Addicted Points: 461 More actions · Answer 3

Lol, I just used this the other day to encrypt SSNs, other wise I would have had no idea. I had to come up with a way to store the SSNs securely, since I'm using them to reconcile a couple of different data sets from multiple systems. Good thing I did too, cause my boss sent one of the ERP admins around to make sure that I didn't have any floating around the DW :Whistling:

One thing though, I currently am executing the ENCRYPTBYPASSPHRASE() function in an ETL via an Execute SQL task, which leaves the pass phrase in plain text. Does anyone know of a better way to do this? Passing the passphrase into the function as a variable is the first thing that comes to mind, but that still doesn't solve the problem of securing the passphrase.

Any help would be appreciated.

Thanks

Steve Jones - SSC Editor SSC Guru Points: 736150 More actions · Answer 4

You have to secure this somehow. There isn't a good way to do this, other than injection from the package or as a parameter. In either case, you then need to treat that location as a security hole.

I like a parameter of sorts, so operations can limit access to jobs, and then control the password themselves (and take liability).

zgardiner 4991 SSC-Addicted Points: 461 More actions · Answer 5

Steve Jones - SSC Editor (2/25/2016)
You have to secure this somehow. There isn't a good way to do this, other than injection from the package or as a parameter. In either case, you then need to treat that location as a security hole.
I like a parameter of sorts, so operations can limit access to jobs, and then control the password themselves (and take liability).

I was thinking that password protecting the entire .dtsx package might also be a solution? I'm using Integration Services Catalog on SQL Server 2014. It should just change the protection level to server when I deploy it. Then only myself and people who have access to the SSIS catalog would be able to access the package, which is only myself and the sysadmin. Throw the package password in KeePass and then forget that I ever authored the thing, deny all knowledge of the events that transpired and refer any further inquiries to the online documentation which is ample.

What say you O' Grand Wisdom Of the Hawaiian Shirt? Viable or did I swallow too much sea water during this morning's surf?

Steve Jones - SSC Editor SSC Guru Points: 736150 More actions · Answer 6

That's fine. Package protection is good. The important thing is that someone knows where the password is and how it's controlled. I might even think about having a non-business person watch the password process and understand where it is. I used to give the admin passwords (sealed) to the CFO, just in case.

zgardiner 4991 SSC-Addicted Points: 461 More actions · Answer 7

My two bosses and the sysadmin have the KeePass master password. I'm pretty sure that each of them wrote it on a sticky, wrote "KEEPASS PASSWORD - IMPORTANT" over it, underlined that twice, and then pasted it directly to the bottom their monitors as soon as I was done verbally giving it to them over the phone. Maybe not the sysadmin.

Alright, local package protection it is. Thanks as always for all your help Steve.

Steve Jones - SSC Editor SSC Guru Points: 736150 More actions · Answer 8

Good luck, and you are welcome. If you'd like to write up how you to this one thing, protecting this data, we'd love an article.

Steve

eje37575 SSC Rookie Points: 32 More actions · Answer 9

Why would you be hiding data from the DBA's??Shouldn't be the other way around??

Steve Jones - SSC Editor SSC Guru Points: 736150 More actions · Answer 10

eje37575 (2/27/2016)
Why would you be hiding data from the DBA's??Shouldn't be the other way around??

There is certainly data you wouldn't want a sysadmin to see, nor should they necessarily see. A valid concern. DBAs can be responsible for the system, but not be allowed to see the data.

eje37575 SSC Rookie Points: 32 More actions · Answer 11

I guess it depends on the organization. I'm more of an sql developer/dba and have full access to production data. Our .NET developers do not have access production data they only have free reign when it comes to dev and qa.

Hany Helmy SSChampion Points: 13921 More actions · Answer 12

As I didn`t use that function before, so I googled it; found some confusing web links made me think it is useing DES algorithn as well.

Thanks & Best Regards,
Hany Helmy
SQL Server Database Consultant

akljfhnlaflkj SSC Guru Points: 76202 More actions · Answer 13

akljfhnlaflkj

SSC Guru

Points: 76202

March 9, 2016 at 4:57 pm

#1864156

Thanks for the question.