Question on Encrypted Database keys/passwords

Question

Question on Encrypted Database keys/passwords

Brandie Tarvin

SSC Guru

Points: 173056
More actions
May 15, 2019 at 12:47 pm

#3642318

Quick question more for informational CYA than anything else (I.E., I don't want to do this, I just want to make sure it can't be done).
Is it possible to read (in clear text) or decrypt the password for an encrypted database key from the Windows Server registry?
I know people try to do this all the time (find passwords for things that they shouldn't have access to) and a quick Google search doesn't come up with any links. So I'm posting here in hopes someone can give me the warm fuzzy "No" that I'm looking for. Or to warn me that "yes, it can be" so I can go back to my peeps and look for a solution to lock down this particular hole if it exists.
Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply

e4d4 SSCertifiable Points: 5777 More actions · Answer 1

Hi, short answer no. On Windows level there is only Service Master Key which is protected by Windows DPAPI, this key is used by default to protect master key in master db and probably only hash of master key password is stored in db so you can only brute force it.

https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-2017

Sergiy SSC Guru Points: 110208 More actions · Answer 2

Is it what you're looking for?

https://simonmcauliffe.com/technology/tde/

_____________
Code for TallyGenerator

Grant Fritchey SSC Guru Points: 398882 More actions · Answer 3

Just talking to an AD expert yesterday after I presented a session on SQLi. Evidently there is a "golden ticket" in AD that unlocks the kingdom. Without that, the answer is a very hard NO. I don't have the details on the issue. Track down David Posthlewait.

"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt

Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning

Brandie Tarvin SSC Guru Points: 173056 More actions · Answer 4

Wow...

Thanks, everyone. I appreciate the references. This makes this even harder because I just found out corporate DBAs will have the password to the account that will own the keys and I need to figure out how to prevent them from using that account to log into our servers / databases and grabbing PII.

Grrr. Not looking forward to this conversation.

Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.