0

When a symmetric key is created we have the option to encrypted it by using at least one of the following: certificate, password, symmetric key, asymmetric key or EKM.

When a password is used, it it said that:

When a symmetric key is encrypted with a password instead of a certificate (or another key), the TRIPLE DES encryption algorithm is used to encrypt the password. Because of this, keys that are created with a strong encryption algorithm, such as AES, are themselves secured by a weaker algorithm.

So, using password is not best way to protect it. I was not able to find any pros and cons for using the other techniques.

Can anyone tell is there are difference from security or performance matter or it is just a matter of choice?

gotqn
  • 4,348
  • 11
  • 52
  • 91

1 Answers1

1

As you show in your question, the Microsoft Docs say:

When a symmetric key is encrypted with a password instead of a certificate (or another key), the TRIPLE DES encryption algorithm is used to encrypt the password. Because of this, keys that are created with a strong encryption algorithm, such as AES, are themselves secured by a weaker algorithm.

This is a simple warning that a key protected by a password is weaker than the same key protected by a certificate.

So, in order to compromise the symmetric key, you need to know the password. An attacker might obtain the password by cracking the 3-DES encryption; they would then have access to symmetric key, and by extension everything that is protected by that key.

The take-away is, don't use a password to protect a key if the data protected by the key is valuable. Use a certificate to encrypt the symmetric key.

Hannah Vernon
  • 70,928
  • 22
  • 177
  • 323