Symmetric keys (other than the database master key) must use a DoD certificate to encrypt the key.
An XCCDF Rule
Description
<VulnDiscussion>Data within the database is protected by use of encryption. The symmetric keys are critical for this process. If the symmetric keys were to be compromised the data could be disclosed to unauthorized personnel. The database master key is exempt, as a password must be supplied when creating it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-81875r2_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure or alter symmetric keys to encrypt keys with certificates or authorized asymmetric keys.
In a query tool:
ALTER SYMMETRIC KEY <key name> ADD ENCRYPTION BY CERTIFICATE <certificate name>;
ALTER SYMMETRIC KEY <key name> DROP ENCRYPTION BY <password, symmetric key or asymmetric key>;
The symmetric key must specify a certificate or asymmetric key for encryption.