Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Grant appropriate permission to use Symmetric Key in stored proc

Tags:

sql-server

tsql

sql-server-2012

I created a symmetric key in SQL2012 using the following code (logged in as Windows Admin user):

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '34trg45trgf546t';
CREATE CERTIFICATE SSCert01 WITH SUBJECT = 'SS Certificate 01';
CREATE SYMMETRIC KEY SSN_Key_01 WITH ALGORITHM = TRIPLE_DES ENCRYPTION BY CERTIFICATE SSCert01;

Once that was done I applied encryption to certain database columns. Still logged in as Admin, I can successfully decrypt columns using the Key:

OPEN SYMMETRIC KEY SSN_Key_01 DECRYPTION BY CERTIFICATE SSCert01;
SELECT
    name,
    surname,
    CONVERT(nvarchar(50),DECRYPTBYKEY(PasswordEnc)) as DecryptedPassword
FROM
    [tbl_Users];
CLOSE SYMMETRIC KEY SSN_Key_01;

I then placed the above code into a Stored Procedure. The problem is that my application access SQL using two Roles, which access the appropriate proc's. When either of these two Roles tries to execute a proc containing the above code, I see this error:

Cannot find the certificate 'SSCert01', because it does not exist or you do not have permission. The key 'SSN_Key_01' is not open. Please open the key before using it.

When I login as either Role, they cannot see the Key or the Cert. So, can anyone advise WHICH permissions to grant to the roles so that they can use the key/cert within stored procedures (only) to encrypt/decrypt data. The roles shouldn't be allowed to perform any functionality with the key/cert apart from encryption/decryption. I have looked at MSDN/Google and am none the wiser.

UPDATE The following code allows the roles to use the proc's, but I am worried that CONTROL is too much access. Can anyone provide some clarity please?

GRANT CONTROL ON CERTIFICATE :: SSCert01 TO Role001;
GRANT CONTROL ON SYMMETRIC KEY :: SSN_Key_01 TO Role001;
like image 559
EvilDr Avatar asked Mar 07 '14 15:03

EvilDr

1 Answers

The way I usually get around this is to set the procedure to execute as owner and then make sure that the owner of the procedure has the correct permissions to perform the decryption, a lot of time the owner of the proc is DBO anyway so no additional configuration needs to be done apart from altering the procedure like so:

ALTER PROCEDURE proc_name
WITH EXECUTE AS OWNER
AS
OPEN SYMMETRIC KEY SSN_Key_01 DECRYPTION BY CERTIFICATE SSCert01;
SELECT
    name,
    surname,
    CONVERT(nvarchar(50),DECRYPTBYKEY(PasswordEnc)) as DecryptedPassword
FROM
    [tbl_Users];
CLOSE SYMMETRIC KEY SSN_Key_01;

This means that you don't have to grant any additional permissions at all to your application role or users.

like image 101
steoleary Avatar answered Sep 19 '22 23:09

steoleary
Sign in to Comment

Related questions

OPTION (MAXDOP) with sub query?
SQL convert string to date format 112
How to use :setvar properly?
Ensure that one and only one default is defined for a set
Is it better to sort data at the application layer, or with an order by clause?
Either an aggregate function or the GROUP BY clause
Count of Columns in temp table in SQL Server
edge-sql.js how to set connectionString?
Error using Common Table Expression in SQL User Defined Function
How to form a table name from concatenating strings in Select Statement in SQL 2012
divide values in a Group By query
Error :RESTORE cannot process database 'Test_DB' because it is in use by this session
WHERE clause using OPENQUERY with linked server
SQL Server POWER function
Return all primary keys affected by update query
Delete 75% Of a Table Randomly
How to protect a system from inside (like inside job)?
SCOPE_IDENTITY for multiple records
Create a table and default column value to a received variable parameter
Find the Same day of Previous Year Given by Current Year Date in SQL Server

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!