A Basic Encryption Primer for SQL Server

Another post for me that is simple and hopefully serves as an example for people trying to get blogging as #SQLNewBloggers.

Encryption is a function call in SQL Server, where we pass in the text to encrypt and a key. That’s really what we are doing with encryption. I pass a key and data into a function and get either encrypted or decrypted data. Here’s a short example:

Basic Encryption Demo

Let’s say I have a simple message, like “Let’s meet at Kunjani Coffee at 8am.”. I want to protect this message.

     @data VARCHAR(500) = 'Let''s meet at Kunjani Coffee at 8am.'
   , @encrypteddata VARBINARY(500);
SELECT 'Plain Data', @data
     'Encrypted Data'
   , ENCRYPTBYPASSPHRASE ('mysecretk#y', @data) AS EncryptedData
     'Decrypted Data'
   , CAST(DECRYPTBYPASSPHRASE ('mysecretk#y', ENCRYPTBYPASSPHRASE ('mysecretk#y', @data)) AS VARCHAR(100)) AS DecryptedData
     'Almost Decrypted Data'
   , DECRYPTBYPASSPHRASE ('mysecretk#y', ENCRYPTBYPASSPHRASE ('mysecretk#y', @data)) AS AlmostDecryptedData;

In this code, I’m using EncryptByPassPhrase and DecryptByPassPhrase to encrypt data. I pass in a key, which is my passphrase. That is “mysecretk#y” i this case. I then pass in the data and get the result returned. You can see the four results below:

2021-05-17 12_31_35-SQLQuery1.sql - ARISTOTLE.sandbox (ARISTOTLE_Steve (59))_ - Microsoft SQL Server

This is a quick example of the functions working together. I use one to hide the data, and another to reveal it.

The Encryption Hierarchy

Encryption is expensive in terms of resources (time, CPU, etc.), which means we want to minimize it. Part of what we do is try to minimize the work done while maximizing protection.

We can double encrypt things, meaning I could take the result of the second query, and use that “encrypted data” string and use that in another encryption function and provide even more protection. The encryption of each string, however, is time and CPU intensive.

Rather than encrypt the data again, we often just encrypt the keys. One key encrypts another and then the resource cost of decrypting a key is much lower than decrypting the data over and over. If you look at the encryption hierarchy on MS Docs, you’ll see that keys are stacked on each other, each one protecting the layer below. Typically we are only encrypting the actual data with a password or a symmetric key, which are essentially the same thing and the quickest way to perform the encryption and decryption.

Let’s lightly look at the parts of this hierarchy.

Asymmetric Keys

The stronger keys are the asymmetric ones. They are called this because the key used for encryption is different than the key used for decryption. Typically these are paired together, and you can give someone 1 key, so they can only perform one operation.

Certificates are asymmetric keys, with other metadata, and have the two keys as the public and private keys. This is how we do a lot of encryption across distances where we need to exchange data on insecure channels, like the Internet.

These are computationally intensive, meaning lots of CPU and time, so we don’t usually want to use these to encrypt lots of data. Instead, we use these to encrypt or symmetric keys.

Note: The strangeness in the SQL hierarchy is that the SMK and DMK are symmetric keys.

Symmetric Keys

The Symmetric keys are used for both encryption and decryption of the data. This doesn’t mean any key works, but the key used to specifically encrypt a set of data is the key used to decrypt it. This means we need to send the key to all parties that do encryption and decryption.

These do require lots of CPU, but much less than asymmetric keys. Typically we use these to actually encrypt the data.

Hash Functions

This isn’t really encryption, but some hash functions are used for things like passwords, where we can have one-way encryption. These are often used to transform the data into a hash, or representation, and then we can compare the hash together.

Using Encryption in Practice

Each of these ideas is just a function call, and that is how we’ve implemented encryption in SQL Server. Whether you use TDE, Always Encrypted (AE), column level encryption, or anything else, you are making function calls in some way.

For TDE and AE, SQL Server handles much of this work for you. It gets keys, does the function call. For the code above, or any of the ENCRYPT/DECRYPT functions, you are writing code and using those in your work.

However, keep in mind that key management is the key to protecting things. This means how you protect them, where they are, how you copy them to other places, and change them over time.


Encryption is just a series of function calls. We have different types of functions and different parameters, but that’s really the core of what is happening.

We can use these functions with the outputs of one as the inputs of another, or more often, the keys used as inputs instead of text, allowing us to encrypt and protect the keys themselves.

There is a lot more to learn, but this gives a basic look at encryption in SQL Server.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Blog and tagged , , , . Bookmark the permalink.

3 Responses to A Basic Encryption Primer for SQL Server

  1. But I have many questions now:
    1) What is the algorithm behind the encryption?
    2) Can I choose what algorithm?
    3) Can I choose the key lengths: 128, 192 and 256 bits?


  2. way0utwest says:

    There are links to docs in the post. I didn’t cover everything, but you can choose from a list of algorithms.


  3. Pingback: Creating a Symmetric Key–#SQLNewBlogger | Voice of the DBA

Comments are closed.