Do you fear breakins into your SQL Server database? You should. It is a real and dangerous possibility. First, I'll cite an example from a previous job to demonstrate how easy it is to access a database.
Why a DBA might break into your database
I used to be part of a team that was responsible for an enterprise application designed to run a pulp and paper mill. The software sold for $1.2 million as the base price. As the customer selected various options, the price went up in rather large increments. A sale of the application with all features working could amount to $3 million. We didn't create separate executables for each possible configuration because that would have been a nightmare. Instead, we created an encrypted procedure that read a table and made the functionality available that the client had licensed.
The local DBA with even a little savvy and an Internet connection could crack our code wide open in five minutes, gaining full functionality of the application and thereby saving her firm at least a million dollars. This is against the law, but some DBAs will take the chance to save their companies such large sums of money.
How a DBA can decrypt your database
If you think my scenario unlikely, try it. Create one or more stored procedures, views, and triggers with encryption using the standard "with encryption" phrase. Then follow the steps in this recipe, and see how easy it is to shatter your alleged defense:
1. Install the free SQL decryption tool from http://www.derkeiler.com/Mailing-Lists/Securiteam/2001-12/0101.html.
2. Run it and choose the server and database of interest. (You must be able to log in.)
3. Select the procedures, views, and triggers you wish to decrypt.
4. Choose a directory in which to save the decrypted files and click Save.
Protect your database with these resources
The safest assumption is that a DBA will try to break into your database. If the DBA succeeds, the vendor of the application may be out a significant amount of money.
Simply adding encryption to your database will only protect you from entry-level or inexperienced DBAs. If encrypted procedures, views, and triggers are important to you and your firm (and they should be), then you have no choice but to spend some money and license real encryption, or to download one of the following alternatives (both commercial and free) and beef up your encryption efforts:
SQL Encryption Toolkit: This free toolkit from Michael Coles is in the form of stored procedures.
Last updated 17 Apr 2020