105 lines
9.4 KiB
Transact-SQL
105 lines
9.4 KiB
Transact-SQL
/* DROP Column Encryption Keys first, Column Master Keys cannot be dropped until no CEKs depend on them */
|
|
IF EXISTS (SELECT * FROM sys.column_encryption_keys WHERE [name] LIKE '%AEColumnKey%' OR [name] LIKE '%-win-%')
|
|
BEGIN
|
|
DROP COLUMN ENCRYPTION KEY [AEColumnKey]
|
|
DROP COLUMN ENCRYPTION KEY [CEK-win-enclave]
|
|
DROP COLUMN ENCRYPTION KEY [CEK-win-enclave2]
|
|
DROP COLUMN ENCRYPTION KEY [CEK-win-noenclave]
|
|
DROP COLUMN ENCRYPTION KEY [CEK-win-noenclave2]
|
|
END
|
|
GO
|
|
|
|
/* Can finally drop Column Master Keys after the Column Encryption Keys are dropped */
|
|
IF EXISTS (SELECT * FROM sys.column_master_keys WHERE [name] LIKE '%AEMasterKey%' OR [name] LIKE '%-win-%')
|
|
BEGIN
|
|
DROP COLUMN MASTER KEY [AEMasterKey]
|
|
DROP COLUMN MASTER KEY [CMK-win-enclave]
|
|
DROP COLUMN MASTER KEY [CMK-win-noenclave]
|
|
END
|
|
GO
|
|
|
|
/* Create the Column Master Keys */
|
|
/* AKVMasterKey is a non-enclave enabled key for AE v1 testing */
|
|
/* The enclave-enabled master key requires an ENCLAVE_COMPUTATIONS clause */
|
|
CREATE COLUMN MASTER KEY [AEMasterKey]
|
|
WITH
|
|
(
|
|
KEY_STORE_PROVIDER_NAME = N'MSSQL_CERTIFICATE_STORE',
|
|
KEY_PATH = N'CurrentUser/my/237F94738E7F5214D8588006C2269DBC6B370816'
|
|
)
|
|
GO
|
|
|
|
/* The enclave-enabled master key requires an ENCLAVE_COMPUTATIONS clause */
|
|
CREATE COLUMN MASTER KEY [CMK-win-enclave]
|
|
WITH
|
|
(
|
|
KEY_STORE_PROVIDER_NAME = N'MSSQL_CERTIFICATE_STORE',
|
|
KEY_PATH = N'CurrentUser/My/FADD52207E002EDDEE832B12E281EA280F2EFBCB',
|
|
ENCLAVE_COMPUTATIONS (SIGNATURE = 0x89DB5211D883466A978299CD9AE176E25C3465EDB6FA42571E17AC38D9ED63D436CD476D5436AD1514BAE7C9E185EB421E9C5BA3905721CD453899604140A3DE5E5080693E7CCD61360E5E168290498EE86EFABD5D2B56D9F5676173E6164D5F195EE3321DEE003568C25FE5B5470B3EE5C699F1280B1397C90E411A86E62F165F1ED74987C571A3BB1CCB909B69210A38DBE1D3826F0153F1DEFD7454C0F218853480C636D428FA42FE688FB93E34CEAABD70AC66DCF329C0FE4503738EFD24E920524D8040F493ADC6A4E21F017231B787942B68C825879025019D4F6EC9919EFC73504D764D16E4F808FECBFDF6F5456247DB8904F9B77BA0C32CB4403AE1)
|
|
)
|
|
GO
|
|
|
|
|
|
CREATE COLUMN MASTER KEY [CMK-win-noenclave]
|
|
WITH
|
|
(
|
|
KEY_STORE_PROVIDER_NAME = N'MSSQL_CERTIFICATE_STORE',
|
|
KEY_PATH = N'CurrentUser/My/FADD52207E002EDDEE832B12E281EA280F2EFBCB'
|
|
)
|
|
GO
|
|
|
|
|
|
/* Now we can create the Column Encryption Keys */
|
|
/* ENCRYPTED_VALUE is generated by SSMS and it is always the same if the same Certificate is imported */
|
|
CREATE COLUMN ENCRYPTION KEY [AEColumnKey]
|
|
WITH VALUES
|
|
(
|
|
COLUMN_MASTER_KEY = [AEMasterKey],
|
|
ALGORITHM = 'RSA_OAEP',
|
|
ENCRYPTED_VALUE = 0x016E000001630075007200720065006E00740075007300650072002F006D0079002F00320033003700660039003400370033003800650037006600350032003100340064003800350038003800300030003600630032003200360039006400620063003600620033003700300038003100360039DE2397A08F6313E7820D75382D8469BE1C8F3CD47E3240A5A6D6F82D322F6EB1B103C9C47999A69FFB164D37E7891F60FFDB04ADEADEB990BE88AE488CAFB8774442DF909D2EF8BB5961A5C11B85BA7903E0E453B27B49CE0A30D14FF4F412B5737850A4C564B44C744E690E78FAECF007F9005E3E0FB4F8D6C13B016A6393B84BB3F83FEED397C4E003FF8C5BBDDC1F6156349A8B40EDC26398C9A03920DD81B9197BC83A7378F79ECB430A04B4CFDF3878B0219BB629F5B5BF3C2359A7498AD9A6F5D63EF15E060CDB10A65E6BF059C7A32237F0D9E00C8AC632CCDD68230774477D4F2E411A0E4D9B351E8BAA87793E64456370D91D4420B5FD9A252F6D9178AE3DD02E1ED57B7F7008114272419F505CBCEB109715A6C4331DEEB73653990A7140D7F83089B445C59E4858809D139658DC8B2781CB27A749F1CE349DC43238E1FBEAE0155BF2DBFEF6AFD9FD2BD1D14CEF9AC125523FD1120488F24416679A6041184A2719B0FC32B6C393FF64D353A3FA9BC4FA23DFDD999B0771A547B561D72B92A0B2BB8B266BC25191F2A0E2F8D93648F8750308DCD79BE55A2F8D5FBE9285265BEA66173CD5F5F21C22CC933AE2147F46D22BFF329F6A712B3D19A6488DDEB6FDAA5B136B29ADB0BA6B6D1FD6FBA5D6A14F76491CB000FEE4769D5B268A3BF50EA3FBA713040944558EDE99D38A5828E07B05236A4475DA27915E
|
|
)
|
|
GO
|
|
|
|
/* There are two enclave enabled keys and two non-enclave enabled keys to test the case where a user
|
|
tries to reencrypt a table from one enclave enabled key to another enclave enabled key, or from a
|
|
non-enclave key to another non-enclave key */
|
|
CREATE COLUMN ENCRYPTION KEY [CEK-win-enclave]
|
|
WITH VALUES
|
|
(
|
|
COLUMN_MASTER_KEY = [CMK-win-enclave],
|
|
ALGORITHM = 'RSA_OAEP',
|
|
ENCRYPTED_VALUE = 0x016E000001630075007200720065006E00740075007300650072002F006D0079002F0066006100640064003500320032003000370065003000300032006500640064006500650038003300320062003100320065003200380031006500610032003800300066003200650066006200630062000D9BC8E2315C6D3F7BCB6D7578C2072E9482635E9E16B9AF3875846A6C4328541BEE6520BF99D012B34455102D8E23965B991AA0CE03A7E624FEFF87E0C082685960C81C9703DDD35089A2D86952120ABD82CEAA40B6071C3C8E36B597B6B09E44630ECE41F24A4DE26F0C583C5FF077898682106D64D710F4967B6E0705D5C5F436D1AF234BFD93F0F9104D88F2577B07C250003EB85F1D6AAE661AF70D72D80CDDA68B189B5718C34F00A5AFC47D59AFBB025F5FE3822BEC8D40C2D2EADCEAD3AB5C534E6B683B19B6F08E555396CDDD71AE0571939CB54BAFD6ED31DA6316EBF5F8330574EB9168D6E326D6DC003A1F65223C16DAD4C9CFD852E3016C04B9CBB9C7BFCFC9417441721C73E81B5C46252C5759CC835637335E2A1B70BEAD0DFF49561190D6B54E3B8AD669E64D4295294CD0A2BD4279395215CD0932F2951EE2748E697D5DDFBF45D4681B20728C0D0A1CE137F9C531EBFC84994CE071B54464A5BDF6AFC038C7D65A1E1D4B392216556B267CFBAAA86A9DD8BB70D0A727EE2B2242BC2C6B29DD09FAECEE6349AE67734C8E56B04A84D51EB74F5278205438EAADBBD59D4FD7F8FC7456EB59101841B7AE8D1851EF481FA37D3255E24BDB1305D380A6044595CE23D07D8F2A07B8862E77C5D4EAEC66886B297B4B4B26670629CC524031C50E9990054A9144975D6C88CBAD7FE41D0367B965FFBEF322BE6A
|
|
)
|
|
GO
|
|
|
|
|
|
CREATE COLUMN ENCRYPTION KEY [CEK-win-enclave2]
|
|
WITH VALUES
|
|
(
|
|
COLUMN_MASTER_KEY = [CMK-win-enclave],
|
|
ALGORITHM = 'RSA_OAEP',
|
|
ENCRYPTED_VALUE = 0x016E000001630075007200720065006E00740075007300650072002F006D0079002F0066006100640064003500320032003000370065003000300032006500640064006500650038003300320062003100320065003200380031006500610032003800300066003200650066006200630062007F99C7C6F2E645A99AF68A4233CF78024AD556E6BD32776F51D163D091A4F3E9350FB8A524E6201588A4BEB95418A95F5E7D62B1AC9C71CCD75E88FE1838BA0C3DC60DCA01171CFDBFAB77567BB63D5BE5387C796F95559EE2C0A78C94456C8A584B5391C05CA145715D0024B2D0DD3D1C9E44D924466978A180AFA3EB6CF64DB44B022CF5033BAAB4A7DF3D67A8ED9EFB979C18D6EAC8B9B415491BF6F7F86E2844D0DCC5484D24830D2BD8DAB7B7B98F0F3DF47980131CC1BCFE7A8D76559BA9E8833B4779A08BFB65F45EDB6B3922A466BD3D2643C235CB0EB80B94B125E7C14711403D58F3D2F80336F65C8782F0C6F3D4494D40F99D770560673466D9362EC476D9F917F37C28C8ED15AF05C8F10B70D33D2A2646DA206873D34A6D89482C65D3793274EC2981A96BF927C22717078DFCFD6EAFDCCC0E274386A11101739B7DDEE8085BCD8381866696160969C5CCBE11520766FAC6EA187D51FC6ED8B7EA73D65BE8B25A124DD69000F4691BD63CAEAC33C71C12A5796DFC15E0BDBDB889E65AA8EBC9D5C11A9DF58A3BF36A9AE5DAEA8FB92AA68500FAC69FC85FEF8AFE0AD5CDF9C4C6D5915532620BEE1A5F77F2A574C374704C60096D4252405971C40A82AEF54F56AF924C7CC18395A22838D07014AF5585DA7EE248AAAB4C4FDA6BC187515C5D1DA0FC3BB05ABC9F98EE32575B17FEA7F2C0ED256D9FD1A68F0C
|
|
)
|
|
GO
|
|
|
|
|
|
CREATE COLUMN ENCRYPTION KEY [CEK-win-noenclave]
|
|
WITH VALUES
|
|
(
|
|
COLUMN_MASTER_KEY = [CMK-win-noenclave],
|
|
ALGORITHM = 'RSA_OAEP',
|
|
ENCRYPTED_VALUE = 0x016E000001630075007200720065006E00740075007300650072002F006D0079002F00660061006400640035003200320030003700650030003000320065006400640065006500380033003200620031003200650032003800310065006100320038003000660032006500660062006300620019FA28795E9865B2FFE247F6405EA11CAE7FA8374FBF69B2C9BC6D4296D4EF2710D491CE9C00B29B837C9B2D70B1466E12E3448D27F473153E1CED638B1BBA980B3E14E173BD53C8A29DFA7EAC21F5F7E4E9DEFFD0023205593F13EE0DDEFA3E7772729E50C227668EE383A58A037766824E05EE608D47E9818893A8770427F847B97FBDC97AFEFBC1495C894538B7604E192332AAA4C19E1CD253AACA972989B46480681411AE8773E834254F618FD5AB5BBB961C7774A1A85332AD028056DADAA9785E092E9DB50A7D6CEB305CD1C3740265BDB55633D9FA0005A0DE3CABF65797B01F7B3CA9DA6B34C958565166D2B3C771233BB376A2F0E0D1BBC508DA117AA0F3EB25925C9C4B26A2FDD3F13792807067F088E9AAB442368D15B13E1138C715958505DD16F388A0476C29F6B04E8789CC396B54C95ED05F8F093A14B800DB7CB04F14732B96A06A7DB4FA81791FC0D5BA45562DA56B90E9A77A72588FAB71ED85F0358CAB2A45F4FBAFF031F44A6993F34B52CF119828989BCA2A802AABE5C3B5D6215F0BDB9F557AB13F2B61C6116D2F721E86D6BF0E100720EC6903417F0A00E57801DDE5B488829CB7DE0203D7CEE7689C7416796A5F3A33765D9F30904C180972E27A4DDAD67BF197DC9A8D4C7D53AF64FA306E012FD014CFF8923DB6E5B164E626D5B0282CEF968C3C00926BAD3928EE33B3414B79A758973B946B
|
|
)
|
|
GO
|
|
|
|
|
|
CREATE COLUMN ENCRYPTION KEY [CEK-win-noenclave2]
|
|
WITH VALUES
|
|
(
|
|
COLUMN_MASTER_KEY = [CMK-win-noenclave],
|
|
ALGORITHM = 'RSA_OAEP',
|
|
ENCRYPTED_VALUE = 0x016E000001630075007200720065006E00740075007300650072002F006D0079002F006600610064006400350032003200300037006500300030003200650064006400650065003800330032006200310032006500320038003100650061003200380030006600320065006600620063006200A422FBB5D90C0158A6F93B8BB8430C50B75FC7495D93B9A725D6BA845A21C7B59EA5D5232ED15016B410BA30520D03ACDF712085F1210196A909EFED0EC9E3DEA0C094CC0E01D7DDFD62387573372D277D2A3B0C3CA52C1D703B0EA4A6AE879D306BB1D065392C6431FA36B7AF71F69481CF5DEB38BDC48694A10C737F35C857F240AD12BF13E3A59ED86531C6DB5BC24CA5F0E84EF131D7306B0E510DE59DBCA64EE48A33745B228346240CA929430409A199C1CAB8B09968E69841004989452AC03932FCB5873C9E13F2663FD28084DC606DB936D0C78845428C9A2A9268C22F9ABD4F3D90D75BA9DE89B9C50FB24969BF184D2ADE0DCBD0E7829B7068C4C01E1A864ECFBBA4FC1394751B132C3E8E5A18637F727963730CEAE5FB9B775D544BA2CB43750C706A8A17CBABF8520C78189B093FF01940B24F3AF02B0BA15BD0A6F193EB2CE8503DDDCFD1FAD3763A5A6CA008470AAAF563E06BF86B995A86DF378E9EC0D4212331C51891BB1B0FCE2781DD2918A3B48D220800BAAB3CA52F6CD733AD54FF3D81AD4AC713F72A704BD5036561DBD43C6C9CDACB99C68F34796CFD3D2E41F6649147EF1AECC9153F7BABAD3D3FCCC5E5B921A4C25443CA0D8EAB9D7C09F8779B6EDAA6095E5492878316769AC4B0D77244DF4E88D5849D95990DD349887DF64DFC0C9BDB4AD2D74D6E75F5D2FEF37AF1FFA404F156DB66E9770F
|
|
)
|
|
GO
|
|
|