0

I'm looking for a sane way to use SQL Server to store, manage, and retrieve SFTP credentials, including passwords.

Right now, we have a table for SFTP credentials. We use a stored procedure to manage INSERTing to the table. The password column is a VARBINARY. We use EncryptByKey to encrypt the password, using a symmetric key that's on the server. We use a stored procedure to retrieve the information, with EncryptByKey to decrypt the password.

This seems like an exercise in futility to me, because anyone with access to the server could just decrypt the password with the key. It's better than storing the data as plain text, but only just.

What's the best way to manage this? I need to be able to use SQL to retrieve and decrypt the password.

eckza
  • 2,212
  • 3
  • 22
  • 28
  • possible duplicate of [storing passwords in SQL Server](http://stackoverflow.com/questions/876342/storing-passwords-in-sql-server) – runDOSrun Feb 12 '15 at 19:50
  • Not a duplicate. I don't want to store hashes for user authentication; I want to securely store the passwords themselves, then decrypt the passwords at runtime and feed them to an application. – eckza Feb 16 '15 at 15:41
  • Storing salted hashes is the secure way to store passwords though. – runDOSrun Feb 17 '15 at 09:01
  • For authentication, sure. But hashing is a one-way operation. I need to retrieve the actual passwords - at runtime - and feed them to an application. I'm not checking to see if $user put in the right password; I'm pulling the password from a database and dumping it into an ETL tool and using it to authenticate to a SFTP endpoint. The answer you linked to details information for using passwords in the context of authentication. That is not what I need. – eckza Feb 18 '15 at 19:04

0 Answers0