blogs.conchango.com

Cool article - I was actually thinking of asking you about this topic. I had pretty much arrived at the same conclusions. I have a couple of clients running AS/400's and #1 was the best approach I could come up with. I was wondering if I had missed something as I am still not completely comfortable with this option.

Bring on encrypted config files

You mention that you can encrypt the password when it is stored on a SQL Server. I know this is probably outside the scope of your blog, but can you give an example of how to set this up?

We store lots of stuff in SQL configuration tables and it's pretty easy.  What I could never figure out is how to encrypt those tables and still get the packages read correctly.  If you have any hints on where elsewhere is, I'd be forever in your debt!

BTW your blog has answered more of my SSIS questions (including some of the hardest ones) of any source I've used to date.  Great work and a big THANK YOU! :)

Doh, just posted on the SQL Server boards and an obvious answer came up.  Create the table using varbinary(MAX) fields and create an encrypted view that decrypts the values.  An encrypted instead of trigger could make updates and inserts transparent.  I'm going to take a shot at this and if there's interest I could post the results.

I've taken a stab at posting an article on MySpace with a script you can run to encrypt it.  Hope it's useful and people can find it :)

Of course a Link would help :)

http://blog.myspace.com/index.cfm?fuseaction=blog.view&friendID=186973938&blogID=260712295&MyToken=abbaac50-9c70-4b30-b304-8e524fb46544

This blog turned out a lot better.  With luck you might even be able to read it!

http://curionorg.blogspot.com/2007/05/encrypted-sql-server-ssis.html

Oh at last a blog that tells me where I am going wrong, I am new to SSIS and when deploying a package that worked on my laptop to production it failed :( i worked out it was becasue of the passwords, if I follow your suggestion 1 how do i modify the config file for it to work correckly,

thanks

Robbie

Recently on this blog I mentioned in passing that I have been working for some considerable time now

Maybe I'm missing something but could you explain me what is the advantadge of the encryption solution (through the use of encrypted view and instead of triggers) once it provides a view that is returning the same decrypted information as in the "original" table?

Thanks in advance.

I was hoping to find out if changing the protection level of a package at runtime was a possibility. I have about 300 packages created, however, the protection level is set to EncryptSensitiveWithUserKey. For best practices, my user should not be the user SQL Agent uses to execute the jobs. So to avoid going back into each package individually I thought,

<Configuration ConfiguredType="Property" Path="\Package.Properties[ProtectionLevel]" ValueType="Int32">

<ConfiguredValue>0</ConfiguredValue>

</Configuration>

would alter the protection level to DontSaveSensitive as runtime through the dtsconfig file. It doesn't seem to have worked. Any thoughts?

Jamie

Thanks for all the info - a most useful blog.

I use SQL to store the config info and it encrypted the password string on the way in (I assume because SMS displays the *****).

My problem is that I cannot see a list of configs in Job Management when I want to set up the job. I can browse to an xml file but not get at the SQL configs.

I like the SQL configs as it will allow me to launch a package from a winforms UI. I want to set up 2 configs, 1 for scheduled and another for adhoc processing.

Once we get into the  cmdexec all sorts of permissioning issues raise their ugly head - and we work on hardened servers. Looks like the work around (kludge) is to deploy multiple copies of the package (with configs set into the pkg)

More work required!