What does a deterministic symmetric key mean?
-
06-02-2021 - |
Question
In sqlservercentral blog I've encountered this phrase
Symmetric keys are deterministic when created, meaning that the same parameters run in different databases will result in the same key. That means that the same key in a different database (or instance) can decrypt data that was encrypted in your production instance. Keep control of the parameters used to create symmetric keys and secure them. That means watch out for storage of these items in source control, in installation files, upgrade scripts, etc.
I can't understand what it tries to say. Symmetric keys are protected by DMKs, so how can they be the same on different instances?
Thanks.
Solution
It's saying that it is possible to have different servers with the same symmetric key values generated. This may or may not be desirable per the business. For example, you can create your own symmetric keys that match.
The DMK just protects the symmetric key by encrypting it, however once decrypted the actual key portion could be the same. This can be desirable as symmetric keys have no backup/restore mechanism on their own.