Decrypts a symmetric key and makes it available for use.
Applies to: SQL Server (SQL Server 2008 through current version).
Open symmetric keys are bound to the session not to the security context. An open key will continue to be available until it is either explicitly closed or the session is terminated. If you open a symmetric key and then switch context, the key will remain open and be available in the impersonated context. Information about open symmetric keys is visible in the sys.openkeys (Transact-SQL) catalog view.
If the symmetric key was encrypted with another key, that key must be opened first.
If the symmetric key is already open, the query is a NO_OP.
If the password, certificate, or key supplied to decrypt the symmetric key is incorrect, the query will fail.
Symmetric keys created from encryption providers cannot be opened. Encryption and decryption operations using this kind of symmetric key succeed without the OPEN statement because the Encryption Provider is opening and closing the key.
The caller must have some permission on the key and must not have been denied VIEW DEFINITION permission on the key. Additional requirements vary, depending on the decryption mechanism:
DECRYPTION BY CERTIFICATE: CONTROL permission on the certificate and knowledge of the password that encrypts its private key.
DECRYPTION BY ASYMMETRIC KEY: CONTROL permission on the asymmetric key and knowledge of the password that encrypts its private key.
DECRYPTION BY PASSWORD: knowledge of one of the passwords that is used to encrypt the symmetric key.
A. Opening a symmetric key by using a certificate
The following example opens the symmetric key SymKeyMarketing3 and decrypts it by using the private key of certificate MarketingCert9.
USE AdventureWorks2012; OPEN SYMMETRIC KEY SymKeyMarketing3 DECRYPTION BY CERTIFICATE MarketingCert9; GO
B. Opening a symmetric key by using another symmetric key
The following example opens the symmetric key MarketingKey11 and decrypts it by using symmetric key HarnpadoungsatayaSE3.
USE AdventureWorks2012; -- First open the symmetric key that you want for decryption. OPEN SYMMETRIC KEY HarnpadoungsatayaSE3 DECRYPTION BY CERTIFICATE sariyaCert01; -- Use the key that is already open to decrypt MarketingKey11. OPEN SYMMETRIC KEY MarketingKey11 DECRYPTION BY SYMMETRIC KEY HarnpadoungsatayaSE3; GO