Select the product you need help with

How to use the dtutil utility (Dtutil.exe) to set the protection level of a batch of SQL Server Integration Services (SSIS) packages in SQL Server 2005

Article ID: 906562 - View products that this article applies to.

INTRODUCTION

Microsoft SQL Server 2005 Integration Services (SSIS) implements security on the client computer and on the server computer when you deploy SSIS packages. You can encrypt the packages to keep the packages' property values secret by setting the protection level of the packages. Packages include the ProtectionLevel property. You can set the ProtectionLevel property according to the level of protection that a package requires.

For example, in a team development environment, a package can be encrypted by using a password that is known to the team members who work on the package. You can easily set a password by using SQL Server Business Intelligence Development Studio or by using the dtutil utility (Dtutil.exe) for a single package. However, if you have to handle lots of packages, the best method is to use the dtutil utility to set the protection level of a batch of SSIS packages. You can generally put a list of individual commands for each package in a .bat file or in a .cmd file and then run the file. If the packages are stored in the same folder, you can use short commands to loop the batch of packages in that folder.

Back to the top | Give Feedback

MORE INFORMATION

Consider the following scenario:

You are deploying SSIS packages that have the default protection level.
You have to send the packages by using a password to other team members who know the password.

In this scenario, you can use the following command to use the dtutil utility to set the protection level of these packages.

for %%f IN (*.dtsx) DO dtutil.exe /File %%f /encrypt file;%%f;3;<promissory password>

Notes

You do not have to decrypt packages that have the default protection level because the default protection level of SSIS packages is the EncryptAllWithUserKey value. The default protection level encrypts packages by using a key that is based on the user profile.
Add the /q switch to avoid additional prompts.
If you type this command at a command prompt, use one percent (%) symbol. If you use this command inside an MS-DOS-based batch file, use two percent (%%) symbols.
In this command, <promissory password> is a placeholder for the password.
This command actually performs a loop for the following command.
dtutil.exe /File %%f /encrypt file;%%f;3;<promissory password>
The protection level is set as a parameter in the command. In this example, the protection level is set to 3 before the password. Use one of the protection levels that is described in the following table according to your requirements.

Collapse this tableExpand this table

Level	Description
0	Strip sensitive information.
1	Sensitive information is encrypted by using local user credentials.
2	Sensitive information is encrypted by using the required password.
3	The package is encrypted by using the required password.
4	The package is encrypted by using local user credentials.
5	The package uses SQL Server storage encryption.

For more information, type the following command at a command prompt:

dtutil /? Encrypt

When the other team members receive these packages, the team members may have to change the password to a password that only the team members know or change the protection level. The team members can use the following command to use the dtutil utility to change the password for these packages.

for %%f IN (*.dtsx) DO dtutil.exe /File %%f /Decrypt <promissory password> /encrypt file;%%f;3;<new password>

Back to the top | Give Feedback

REFERENCES

For more information about how to use the dtutil utility to set the protection level of SSIS packages, see the following topics in SQL Server 2005 Books Online: