Microsoft SQL Server 2005 Integration Services (SSIS) implements
security on the client computer and on the server computer when you deploy SSIS
packages. You can encrypt the packages to keep the packages' property values secret by
setting the protection level of the packages. Packages include the
property. You can set the
property according to the level of
protection that a package requires.
For example, in a team development
environment, a package can be encrypted by using a password that is known to the
team members who work on the package. You can easily set a password by using SQL
Server Business Intelligence Development Studio or by using the dtutil utility
(Dtutil.exe) for a single package. However, if you have to handle lots of
packages, the best
method is to use the dtutil utility to set the protection level of a batch of SSIS packages. You can generally put a list of individual commands for each
package in a .bat file or in a .cmd file and then run the file. If the packages
are stored in the same folder, you can use short commands to loop the batch
of packages in that folder.
Consider the following scenario:
- You are deploying SSIS packages that have the default protection level.
- You have to send the packages
by using a password to other team members who know the
In this scenario, you can use the following command to use the dtutil utility to set the protection level of these packages.
for %%f IN (*.dtsx) DO dtutil.exe /File %%f /encrypt file;%%f;3;<promissory password>
- You do not have to decrypt packages that have the default
protection level because the default protection level of SSIS packages is
the EncryptAllWithUserKey value. The
protection level encrypts packages by using a key that is based on the user profile.
- Add the /q switch to avoid
- If you type this command at
a command prompt, use one percent (%) symbol. If you use this command inside an MS-DOS-based batch file, use two percent (%%) symbols.
- In this command, <promissory password> is a placeholder for the
- This command actually performs a loop for the
The protection level is set as a parameter in the command. In this
example, the protection level is set to 3 before the password. Use one of the
protection levels that is described in the following table according to your requirements.
dtutil.exe /File %%f /encrypt file;%%f;3;<promissory password>
Collapse this tableExpand this table
|0||Strip sensitive information.|
|1||Sensitive information is encrypted by using local user credentials.|
|2||Sensitive information is encrypted by using the required password.|
|3||The package is encrypted by using the required password.|
|4||The package is encrypted by using local user credentials.|
|5||The package uses SQL Server storage encryption.|
For more information, type the following command at a
dtutil /? Encrypt
When the other team members receive these packages, the team members may have to
change the password to a password that only the team members know or
protection level. The team members can use the following command to use the dtutil utility to
change the password for these packages.
for %%f IN (*.dtsx) DO dtutil.exe /File %%f /Decrypt <promissory password> /encrypt file;%%f;3;<new password>
For more information about how to use the dtutil utility to set the
protection level of SSIS packages, see the following topics in SQL
Server 2005 Books Online:
- Setting the protection level of packages
- Security considerations for Integration Services
- Package protection level
- dtutil utility
Article ID: 906562 - Last Review: March 11, 2006 - Revision: 2.2
- Microsoft SQL Server 2005 Developer Edition
- Microsoft SQL Server 2005 Enterprise Edition
- Microsoft SQL Server 2005 Standard Edition
|kbsql2005ssis kbhowto KB906562|