Is SQL Server Certificate using asymmetric encryption internally?

In Books Online I've read that both asymmetric key and certificates use the idea of asymmetric encryption.

They both are asymmetric keys, certificates just have extra metadata and can have other functions run on them such as validation and revocation.

[...] do the certificates created in SQL Server or let's say via Always Encrypted, use the idea of asymmetric encryption?

Yes, see above.

So internally they have public and private keys stored in the same place?

Yes, although you can change that by removing the private key from asymmetric keys and certificates. Additionally, the keys do not have to be stored in the physical database, you can use a HSM.

Does it mean that when we create a symmetric key and encrypt it by a certificate it actually means encrypting a key with a asymmetric encryption?

No, it means that the symmetric key is protected by the asymmetric key. This means the asymmetric key much first be successfully decrypted, the private key must be available, and the symmetric key can then be decrypted using the private key if it exists. Once the symmetric key is decrypted it can be used in operations. If the asymmetric key can not be decrypted, you will get an error and be unable to use the symmetric key as it'll still be encrypted. The data itself is protected by the symmetric key.

• Hi Sean. I think the last part should be a "yes". The question is about if the symmetric key itself is encrypted using the asymmetric key, not the data being protected by the symmetric key. At least, that's how I read "it actually means encrypting a key with an asymmetric encryption".

  Solomon Rutzky

  – Solomon Rutzky

  2019年07月23日 12:44:43 +00:00

  Commented Jul 23, 2019 at 12:44

• sql-server
• encryption
• certificate