OPEN SYMMETRIC KEY (Transact-SQL)
THIS TOPIC APPLIES TO: SQL Server (starting with 2008) Azure SQL Database Azure SQL Data Warehouse Parallel Data Warehouse
Decrypts a symmetric key and makes it available for use.
OPEN SYMMETRIC KEY Key_name DECRYPTION BY <decryption_mechanism> <decryption_mechanism> ::= CERTIFICATE certificate_name [ WITH PASSWORD = 'password' ] | ASYMMETRIC KEY asym_key_name [ WITH PASSWORD = 'password' ] | SYMMETRIC KEY decrypting_Key_name | PASSWORD = 'decryption_password'
Is the name of the symmetric key to be opened.
- CERTIFICATE certificate_name
Is the name of a certificate whose private key will be used to decrypt the symmetric key.
- ASYMMETRIC KEY asym_key_name
Is the name of an asymmetric key whose private key will be used to decrypt the symmetric key.
- WITH PASSWORD = 'password'
Is the password that was used to encrypt the private key of the certificate or asymmetric key.
- SYMMETRIC KEY decrypting_key_name
Is the name of a symmetric key that will be used to decrypt the symmetric key that is being opened.
- PASSWORD = 'password'
Is the password that was used to protect the symmetric key.
Open symmetric keys are bound to the session not to the security context. An open key will continue to be available until it is either explicitly closed or the session is terminated. If you open a symmetric key and then switch context, the key will remain open and be available in the impersonated context. Information about open symmetric keys is visible in the sys.openkeys (Transact-SQL) catalog view.
If the symmetric key was encrypted with another key, that key must be opened first.
If the symmetric key is already open, the query is a NO_OP.
If the password, certificate, or key supplied to decrypt the symmetric key is incorrect, the query will fail.
Symmetric keys created from encryption providers cannot be opened. Encryption and decryption operations using this kind of symmetric key succeed without the OPEN statement because the Encryption Provider is opening and closing the key.
The caller must have some permission on the key and must not have been denied VIEW DEFINITION permission on the key. Additional requirements vary, depending on the decryption mechanism:
DECRYPTION BY CERTIFICATE: CONTROL permission on the certificate and knowledge of the password that encrypts its private key.
DECRYPTION BY ASYMMETRIC KEY: CONTROL permission on the asymmetric key and knowledge of the password that encrypts its private key.
DECRYPTION BY PASSWORD: knowledge of one of the passwords that is used to encrypt the symmetric key.
The following example opens the symmetric key SymKeyMarketing3 and decrypts it by using the private key of certificate MarketingCert9.
USE AdventureWorks2012; OPEN SYMMETRIC KEY SymKeyMarketing3 DECRYPTION BY CERTIFICATE MarketingCert9; GO
The following example opens the symmetric key MarketingKey11 and decrypts it by using symmetric key HarnpadoungsatayaSE3.
USE AdventureWorks2012; -- First open the symmetric key that you want for decryption. OPEN SYMMETRIC KEY HarnpadoungsatayaSE3 DECRYPTION BY CERTIFICATE sariyaCert01; -- Use the key that is already open to decrypt MarketingKey11. OPEN SYMMETRIC KEY MarketingKey11 DECRYPTION BY SYMMETRIC KEY HarnpadoungsatayaSE3; GO