Certificate or Password in creating symmetric key

Question

0.00/5 (No votes)

See more:

, +

I want to encrypt a column of a table in production. For that I have the script as below.But I am confused if I should use certificate to encrypt the symmetric key or a Password.As certificate will involve some cost in maintaining it.

CREATE SYMMETRIC KEY XYZConfigTableKey
WITH ALGORITHM = TRIPLE_DES ,
KEY_SOURCE = 'ConfigValtricKey',
IDENTITY_VALUE = 'ConfiSymmetricKey'
ENCRYPTION BY CERTIFICATE MWSEncryptCertificate

OR

CREATE SYMMETRIC KEY XYZConfigTableKey
WITH ALGORITHM = TRIPLE_DES ,
KEY_SOURCE = 'ConfigValtricKey',
IDENTITY_VALUE = 'ConfiSymmetricKey'
ENCRYPTION BY PASSWORD ='xysjj'

Posted 17-Dec-14 0:02am

gsinghania2009

Updated 17-Dec-14 0:17am

v3

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

barneyman · Accepted Answer · 2014-12-17T13:20:00

they're both, fundamentally, the same - to access the data, you either need the password, or the private key attached to the cert (depending which option you choose)

it could be argued that the cert private key is more 'troublesome' to share around - you could mark the private key non-exportable

certificates, per-se, aren't more expensive than passwords to maintain, IFF you don't care about the certification chain (i'm guessing your mention of cost is to do with getting something counter-signed by thawte/verisign etc.?)

you can spin up a Certification Authority under windows server, create your own root cert and issues client certs on demand - the end user would need a copy of your root cert installed in their Trusted Root container - or you can use self-signed certs

Certs are about identification & signing/encrypting stuff - cert-chains are about believing a cert holders identity you've never seen before because it's been proven by someone you trust