UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Symmetric keys (other than the database master key) must use a DoD certificate to encrypt the key.


Overview

Finding ID Version Rule ID IA Controls Severity
V-67385 SQL4-00-024300 SV-81875r2_rule Medium
Description
Data within the database is protected by use of encryption. The symmetric keys are critical for this process. If the symmetric keys were to be compromised the data could be disclosed to unauthorized personnel. The database master key is exempt, as a password must be supplied when creating it.
STIG Date
MS SQL Server 2014 Database Security Technical Implementation Guide 2016-11-16

Details

Check Text ( C-67963r2_chk )
In a query tool:
USE ;
GO
SELECT s.name, k.crypt_type_desc
FROM sys.symmetric_keys s, sys.key_encryptions k
WHERE s.symmetric_key_id = k.key_id
AND s.name <> '##MS_DatabaseMasterKey##'
AND k.crypt_type IN ('ESKP', 'ESKS')
ORDER BY s.name, k.crypt_type_desc;
GO

Review any symmetric keys that have been defined against the System Security Plan.

If any keys are defined that are not documented in the System Security Plan, this is a finding.

Review the System Security Plan to review the encryption mechanism specified for each symmetric key. If the method does not indicate use of certificates, this is a finding.

If the certificate specified is not a DoD PKI certificate, this is a finding.
Fix Text (F-73497r2_fix)
Configure or alter symmetric keys to encrypt keys with certificates or authorized asymmetric keys.
In a query tool:
ALTER SYMMETRIC KEY ADD ENCRYPTION BY CERTIFICATE ;
ALTER SYMMETRIC KEY DROP ENCRYPTION BY ;

The symmetric key must specify a certificate or asymmetric key for encryption.