add_authenticatorIndicates whether the original encryption process included, and encrypted, an authenticator together with the plaintext. Must match the value passed to ENCRYPTBYKEY (Transact-SQL) during the data encryption process. add_authenticator has an int data type.

Encrypt Decrypt SQL Server

DECRYPTBYKEY uses a symmetric key. The database must have this symmetric key already open. DECRYPTBYKEY will allow multiple keys open at the same time. You do not have to open the key immediately before cipher text decryption.

The DECRYPTBYKEY call must happen in the context of the database containing the encryption key. Ensure this by calling DECRYPTBYKEY from an object (such as a view, or stored procedure, or function) that resides in the database.

The following example demonstrates that DECRYPTBYKEY must be executed in the context of the database that contains the key. The row will not be decrypted when DECRYPTBYKEY is executed in the Master database; the result is NULL.

SQL Server stored procedures, views and functions are able to use the WITH ENCRYPTION option to disguise the contents of a particular procedure or function from discovery. The contents are not able to be scripted using conventional means in SQL Server Management Studio; nor do the definitions appear in the definition column of sys.sql_modules. This allows the cautious DBA to keep stored procedures and functions securely in source control and protecting the intellectual property contained therein. This tip will focus on encrypting and decrypting a user-defined function.

To encrypt a user-defined function, simply add WITH ENCRYPTION to the CREATE FUNCTION statement (after the RETURNS element). Throughout this tip, I will be building an encrypted UDF (and decrypting it) to demonstrate the principle.

First, create the UDF. Here's mine - it's a simple module that accepts an input string and returns the encrypted varbinary hash value. There are two vital pieces of information here that MUST NOT be given away to the user of the function - the encryption standard, and the salt.

In this example the salt is fixed and an attacker, given the encryption standard (SHA-256) and the salt, could be able to decrypt the hash into plaintext. We can view the definition of a function by finding it in SQL Server Management Studio, right-clicking and scripting out the function:

Firstly, open a Dedicated Administrator Connection (DAC) to SQL Server. Using SQL Server Management Studio, this is easily done by prefixing admin: to the connection string upon connection of a query window. Note that the DAC can only be used if you are logged onto the server and using a client on that server, and if you hold the sysadmin role. You can also get to it by using SQLCMD with the -A option. Note: DAC won't work unless you're using TCP/IP; you'll get this rather cryptic error (in both SQLCMD and SSMS):

The procedure for decryption comes in three steps. First, get the encrypted value of the procedure definition from sys.sysobjvalues (via the DAC connection). Secondly, get the encrypted value of a 'blank' procedure, where the definition is filled in by '-'. Thirdly, get the plaintext blank procedure statement(unencrypted). Now XOR them together (XOR is the simplest of decryption procedures and forms the basis of many algorithms including MD5) as shown below to retrieve the output of the procedure. You'll find my take on this algorithm in the code example below:

If you still cannot access via DAC or prefer a code-based approach, then you can use one of a number of freeware third-party .NET-based decryption software packages to do this for you. The blog Sqljunkieshare also purports to have a method of doing this (code untested) that looks viable - you can find the link here:

i have some inportant stored procedure code in my sql server database 2012. i need very badly to lock the code or encryted those code.Even i cal also not to able to view the code even not SA user. how i can do this. please assist me.

Script for decrypting function works great! However, can you modify the code to ROLLBACK the transaction so that the stored procedure is reverted back to normal? Otherwise after running the code I'm left with

@James Lean - Thanks for your comments. I've re-reviewed what I've written about the DAC and I'm a bit confused to be honest, as I cannot now replicate the last steps in the article above to read the decrypted data. I also get NULL values, same as you. Looking elsewhere, I can see details of the decryption algorithm used (XORs character-by-character of the cryptotext to get the plaintext) via the DAC but no evidence the DAC itself is the key.

If this is the case then the final points I made about using the DAC are incorrect and I apologise for this (I'm also baffled as to how I got the plaintext out in my screenshot!). I would highly recommend the StackOverflow link above for details of the algorithm required for decryption.

I may be missing something, but I can't get this to work just by using the DAC to view the encrypted definition. I just get a NULL definition, same as if I use a normal connection (I've tried this on SQL2005 and 2012 just in case the behaviour changed).

To be honest, I would be a bit worried if it *was* this easy to view an encrypted definition. I know it is fairly trivial to use third-party tools anyway, but at least you have to go to a little bit of effort that way ;-)

One solution is to encrypt sensitive data in a database and use a certificate to protect the keys that encrypt the data. This solution prevents anyone without the keys from using the data. But you must plan this kind of protection in advance.

TDE does real-time I/O encryption and decryption of data and log files. The encryption uses a database encryption key (DEK). The database boot record stores the key for availability during recovery. The DEK is a symmetric key. It's secured by a certificate that the server's master database stores or by an asymmetric key that an EKM module protects.

TDE protects data at rest, which is the data and log files. It lets you follow many laws, regulations, and guidelines established in various industries. This ability lets software developers encrypt data by using AES and 3DES encryption algorithms without changing existing applications.

TDE doesn't provide encryption across communication channels. For more information about how to encrypt data across communication channels, see Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager).

Encryption of a database file is done at the page level. The pages in an encrypted database are encrypted before they're written to disk and are decrypted when read into memory. TDE doesn't increase the size of the encrypted database.

When you use TDE with Azure SQL Database, SQL Database automatically creates the server-level certificate stored in the master database. To move a TDE database on SQL Database, you don't have to decrypt the database for the move operation. For more information on using TDE with SQL Database, see transparent data encryption with Azure SQL Database.

After you enable TDE, immediately back up the certificate and its associated private key. If the certificate becomes unavailable, or if you restore or attach the database on another server, you need backups of the certificate and private key. Otherwise, you can't open the database.

Keep the encrypting certificate even if you've disabled TDE on the database. Although the database isn't encrypted, parts of the transaction log might remain protected. You also might need the certificate for some operations until you do a full database backup.

The Windows Data Protection API (DPAPI) is at the root of the encryption tree, secures the key hierarchy at the machine level, and is used to protect the service master key (SMK) for the database server instance. The SMK protects the database master key (DMK), which is stored at the user database level and protects certificates and asymmetric keys. These keys, in turn, protect symmetric keys, which protect the data. TDE uses a similar hierarchy down to the certificate. When you use TDE, the DMK and certificate must be stored in the master database. A new key, used only for TDE and referred to as the database encryption key (DEK), is created and stored in the user database.

The following illustration shows the architecture of TDE encryption. Only the database-level items (the database encryption key and ALTER DATABASE portions) are user-configurable when you use TDE on SQL Database.

The encryption and decryption operations are scheduled on background threads by SQL Server. To view the status of these operations, use the catalog views and dynamic management views in the table that appears later in this article.

Backup files for databases that have TDE enabled are also encrypted with the database encryption key. As a result, when you restore these backups, the certificate that protects the database encryption key must be available. Therefore, in addition to backing up the database, make sure to maintain backups of the server certificates. Data loss results if the certificates are no longer available.

While a re-encryption scan for a database encryption operation is in progress, maintenance operations to the database are disabled. You can use the single-user mode setting for the database to do maintenance operations. For more information, see Set a Database to Single-user Mode.

Use the sys.dm_database_encryption_keys dynamic management view to find the state of database encryption. For more information, see the "Catalog views and dynamic management views" section earlier in this article. 2ff7e9595c