Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Software encryption key management
- Thread starter djj55
- Start date
mrdenny
Programmer
- May 27, 2002
- 11,595
Key management solutions are pretty expensive. You are looking for something like the RSA Key Manager.
Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)
My Blog
Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)
My Blog
- Thread starter
- #3
Thank you for your reply.
Maybe I should look at file management software. We will let SQL do the TDE encryption with the keys created during the setup and implementation, however now we have key files to keep track of.
My manager does not want to use a hardware security module only a software solution. When looking at RSA Key Manager it also talks about HSM.
Thanks again,
djj
The Lord is my shepherd (Psalm 23) - I need someone to lead me!
Maybe I should look at file management software. We will let SQL do the TDE encryption with the keys created during the setup and implementation, however now we have key files to keep track of.
My manager does not want to use a hardware security module only a software solution. When looking at RSA Key Manager it also talks about HSM.
Thanks again,
djj
The Lord is my shepherd (Psalm 23) - I need someone to lead me!
If security is your concern but an HSM is not allowed your next best option is to do a "N of M" split. I'm not sure if MSSS will let you store the key encrypted in a way outside of it's control but it might. I suspect your only real option here will be to use a PKCS-11 SoftToken that implements N of M protection. This all assumes that security is your concern.
If you concern is not losing back copies or otherwise managing key backups you might consider getting thumb-drives that do content protection or otherwise keeping a zip'd folder encrypted using openssl (or gpg, or RSAREF...) to encrypt the contents which you then store on the thumb drive. You might consider having someone who doesn't know a password part (or a password) to hold the USB drive with the encrypted key as a "poor man's" way to get N of M.
If you concern is not losing back copies or otherwise managing key backups you might consider getting thumb-drives that do content protection or otherwise keeping a zip'd folder encrypted using openssl (or gpg, or RSAREF...) to encrypt the contents which you then store on the thumb drive. You might consider having someone who doesn't know a password part (or a password) to hold the USB drive with the encrypted key as a "poor man's" way to get N of M.
- Status
Similar threads
- Locked
- Question
- Locked
- Question