Encrypted Stored Procedures in SQL Server – How Secure?
Posted by decipherinfosys on February 17, 2007
Yesterday, a good friend of mine asked me whether just using the “WITH ENCRYPTION” option is good enough to secure the source code in SQL Server. Oracle has the WRAP utility to do the same thing and it is much more robust. Anyways, in SQL Server, just because you have encrypted your source code using the “WITH ENCRYPTION” option does not mean that you are safe. One can use the dSQLSRVD utility to decrypt that code:
or even this stored procedure code (Decrypt2k) that is publicly available:
The difference between the two is that domNar’s tool requires you to be a member of the sysadmin fixed server role. The stored procedure version above does not yield the decrypted code correctly for procedures with lengths more than 4K. And here is another link that talks about a couple of other options that exist for decrypting the encrypted code in SQL Server:
So, does that mean that there is really nothing that can be done to protect your source code in SQL Server? There are third party utilies like the one from SQL Shield mentioned above that can be used for doing this. You can also control this by using a very tight access control using roles and permissions but that can be done if you are the one who hosts the instance and have all the higher privileged accounts locked up.
In one of the future posts, we will look at encrytion of the data and what options does SQL 2005 provide for those. It can be done using symmetric keys and is a very good feature.
Sorry, the comment form is closed at this time.