Does backup encryption suppose a symmetric key under the hood?
SQL Server 2016 uses AES-256 symmetric encryption algorithm for backups. However, it uses an asymmetric key in conjunction with AES-256. As we know, asymmetric keys are not designed for large data encryption. Does the system, under the hood, generates a sort of symmetric session key and encrypts with it, then protects this session key with the above mentioned symmetric one?
You are correct, the asymmetric key (certificate may be used) is used ***not*** to encrypt the data, but to encrypt the ***symmetric*** key used for actual data encryption. The algorithm to encrypt data is always symmetric. This methodology is consistent with many other secure implementations. For example, this page uses https, meaning that it is protected with secure socket layers (SSL), which means that when the session starts, the web server and the client browser both generate random symmetric key and IV (key is 16 bytes in length, to afford AES-128). After that they swap public keys (from asymmetric cert). The public keys are useless for decryption, so they are perfectly safe to be sent over the net in open text (thus the name, public key). Upon receiving the public keys, each party uses it to encrypt its own symmetric key and IV generated earlier, and sends it over to the other party. When the key is received, it can be now safely decrypted (using the private key). From then on, each party encrypts the data with its own symmetric key, the data is decrypted at the other end with the same key which the opposite party now has. This method achieves high level of data protection because the keys used to protect the data are themselves protected with 1024 asymmetric algorithm (it is slow but needs to be done only once), while allowing the encryption/decryption to be very fast, courtesy of the symmetric algorithm. SQL Server 2016 backup encryption may, but does not have to use AES-256. It could also use AES-128, AES-192 or even Triple DES. In case if the Triple DES is used, the strength is 168. Triple DES needs 3 keys, 8 bytes in length plus 8-byte IV (initialization vector). Because every one of the 3 keys might have to be modified to ensure that it has odd number of bits set to 1, the strength of the algorithm is reduced to 168 from expected 192 (8 bytes per key \* (8 - 1 bit per byte) \* 3 keys = 168). Because of it, AES is the method preferred by many. Its strength is simply the number of bits in the key. For example, AES-256 uses the 32-byte key (32 \* 8 = 256), and if the Rijndael is the actual underlying algorithm (it probably is the one actually used), then every word (block) is 16 bytes, requiring that the IV is 16 bytes in length as well. This way, the cipher block chaining mechanism can use the IV for XOR with the first block of text before protecting it and proceeding to the next block which subjected to XOR with previous block of already encrypted text. Oleg