Home/ Questions/Q 7058575
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T04:07:44+00:00

I would like to encrypt strings of 1500-2500 characters using an Asymmetric Key. It

  • 0

I would like to encrypt strings of 1500-2500 characters using an Asymmetric Key. It seems that RSA_2048 will only encrypt up to 245 characters.

On the MSDN Article about EncryptByAsymKey() is recommends “that you not encrypt large datasets using an asymmetric key. Instead, you should encrypt the data using a strong symmetric key and encrypt the symmetric key using an asymmetric key.”

Is there a way to do this without needing the Asymmetric Key password? or Am I going at this the wrong way?

Declare @plain varchar(max), @cipher varbinary(max);
Set @plain = 'Greg';

CREATE ASYMMETRIC KEY akey WITH ALGORITHM = RSA_2048 ENCRYPTION BY PASSWORD = '123pass!';

CREATE SYMMETRIC KEY skey WITH ALGORITHM = AES_256 ENCRYPTION BY ASYMMETRIC KEY akey;

OPEN SYMMETRIC KEY skey DECRYPTION BY ASYMMETRIC KEY akey WITH PASSWORD = '123pass!';

Set @cipher = ENCRYPTBYKEY(KEY_GUID('skey'), @plain);

... write @cipher to db ...

EDIT: I still need to be able to decrypt the data from another application. I want the public facing application on our web server to encrypt customer order information and write it to a database. Then only be able to decrypt it using another application running on a server physically located in the office.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’ll try and explain what you need to do to perform this, and leave the technical implementation for now:

    You would normally create a persistent (or semi persistent – keep it for a year or so) key pair once in the back end. The private key should already be in a safe spot at that time. Then you import the public key in the front end once.

    Once you receive the data you need to create session keys (e.g. random AES-128 keys) to encrypt the data with, encrypt the session with the imported public key. Encrypt the data with the session key and try to wipe the key from memory (try to keep it out of the swap, or protect the swap file). Store the encrypted data and wipe it from memory as well as you can. Now store the session key, encrypted with the public key together with the data.

    Once you need the data, then you need to retrieve the private key, decrypt the session key and subsequently decrypt the data. If you are only interested in keeping the data confidential, then you just need to encrypt it, e.g. using AES CBC.

    If you ‘push’ the data to be decrypted by the session key, or if you also want to verify the integrity of the data, you need also to add integrity protection (e.g. another session key to perform a MAC or HMAC with).

    The private key needs to be kept safe in the backend, possibly using a password, smartcard, HSM, offline USB stick, or even stringent access control, depending on your needs.

    • 0