MSSQL2012在用户级加密单元

时间:2016-03-30 09:39:57

标签: sql-server encryption sql-server-2012 encryption-asymmetric

有没有办法根据用户帐户加密单元格值?那样:

  • 只有有效用户才能解密某些单元格的值?
  • 或者,一种通过用户身份验证来加密数据的方法,所以只有正确的用户才能对其进行解密?

现在这是我的解决方案:我创建非对称密钥,并为用户授予权限。这不好,因为:

  1. 我必须为每个用户或用户组创建一个密钥;
  2. 它不能是原子的;
  3. 查询读取数据必须始终检索密钥名称。

    4. 示例:

    create database test_for_encrypt
Go
use test_for_encrypt
Go

-- Create Master key and certificate
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'StrongPass1234';
CREATE CERTIFICATE MySelfSignedCert
WITH SUBJECT = 'MySelfSignedCert',
EXPIRY_DATE = '07/14/2020';

-- Create Asymmetric keys
CREATE ASYMMETRIC KEY Asym_user_1  WITH ALGORITHM = RSA_2048
CREATE ASYMMETRIC KEY Asym_user_2  WITH ALGORITHM = RSA_2048

-- create table with data and select data
create table tb_encrypt (word nvarchar(100), asymkey nvarchar(100), crypt varbinary(1000))
Go
insert tb_encrypt (word, asymkey) values (N'One', N'Asym_user_1'), (N'Two', N'Asym_user_2')
update tb_encrypt set crypt = ENCRYPTBYASYMKEY(ASYMKEY_ID(asymkey), word)
select word, crypt, convert(nvarchar, DECRYPTBYASYMKEY(ASYMKEY_ID(asymkey), crypt)) as decrypt
from tb_encrypt


-- create new user with grants
create login [user_asym] With password = N'password_1234'
CREATE USER [user_asym] FOR login [user_asym]
ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [user_asym]
GRANT CONTROL ON ASYMMETRIC KEY::[Asym_user_1] TO [user_asym]
ALTER ROLE [db_datareader] ADD MEMBER [user_asym]

-- After this, Logout and Login with [user_asym]
-- Select data with user [user_asym]
select word, crypt, convert(nvarchar, DECRYPTBYASYMKEY(ASYMKEY_ID(asymkey), crypt)) as decrypt
from tb_encrypt

1 个答案:

答案 0 :(得分:0)

保留一个包含用户名的表以及相应列是否为其加密。 使用表值函数作为参数,并根据上表确定要加密的列。

类似的东西:

Select Case when UserSeeEncrypted = 1 then <EncryptedVal>
Else <Decrypted> ....

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

我添加下表

Create Table #Users (UserName varchar(100), IsEncrypted bit )
Insert into #Users
Select 'PrasadPC\Prasad', 1 -- this is my username for my machine (i used to test)
Union
Select 'user2', 0
Union
Select 'user3', 1

select * from #Users

此代码取自您的帖子并进行修改。

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'StrongPass1234';
CREATE CERTIFICATE MySelfSignedCert
WITH SUBJECT = 'MySelfSignedCert',
EXPIRY_DATE = '07/14/2020';

ASYMMETRIC KEY适用于任何记录

CREATE ASYMMETRIC KEY [Encrypt_Key_Radioleao]  WITH ALGORITHM = RSA_2048

使用数据创建表并选择数据(我更改了表结构 只是为了掌握这个词,如果你需要保留加密数据,你可以做到 通过稍微改变我的逻辑

create table #tb_encrypt (word nvarchar(100))
Go
insert #tb_encrypt (word) values (N'One'), (N'Two')

现在查询

select Word,  
Case when exists
(Select UserName from #Users 
where IsEncrypted = 0 and SUSER_SNAME() = UserName ) then Word
Else 
convert(nvarchar(max), ENCRYPTBYASYMKEY(ASYMKEY_ID('Encrypt_Key_Radioleao'),
 Word)) End as En_Decrypt
from #tb_encrypt e

-- change My user to see decrypted data, 
Update #Users set IsEncrypted = 0  where UserName = 'PrasadPC\Prasad'
相关问题
最新问题