So, given MS SQL 2008R2 or better:
I want to not only store data in a table but be able for my application to automatically verify it was not modified.
Solution seems to be to use SignByCert to make a digital signature of every cell and insert each result into a matching table full of signatures so I can call VerifySignedByCert later when I query it to see if someone changed the plaintext data.
https://learn.microsoft.com/en-us/sql/t-sql/functions/signbycert-transact-sql https://learn.microsoft.com/en-us/sql/t-sql/functions/verifysignedbycert-transact-sql
My question is, signbycert wants an optional password to decrypt the private key it is signing with. I don't want to store private key passpharses in my stored procedures that call SignByCert. It doesn't seem to make sense to just leave the passphrases in the clear.
Alternatively, is there a secure (good) way to reference the passphrase or is there a safe way to store or NOT encrypt the private key in MS SQL so MS SQL hides the passphrase and knows it internally so I don't have to put it in the SQL statement?
