Protect SSIS Packages when deployed on production servers. Do not allow export of SSIS packages

Problem: When SSIS packages are deployed to production SQL Server (which is the server of the CUSTOMERS and not that of VENDORS), DBAs can export the project, open it on Visual Studio and make changes to packages or worse, copy the logic inside them.

Is it possible to encrypt the SSIS project and then deploy it on SQL server in the encrypted form ?

I have already tried to change protection level of packages, but while deploying it the wizard changes this protection level [screenshot] and users can EXPORT the packages and still problem is not solved. After researching I found out that this is the default behaviour and that protection levels work only inside SSDT not on SQL Server.

Other alternatives included DIGITAL SIGNING of packages but I want to make sure that this will work before implementing it. As far I as read implementing this approach, the DWORD registry key had to be set, as such this doesnt comply with my requirement since this registry would have to be set on clients and not before the deployment.

My question is how to handle this problem, I just want to deploy SSIS packages in an encrypted form, and to not allow users of SQL server to export them.

Thank you !

At the project level you should be able to scroll down the properties and choose encrypt all with password. If someone exports the package they will need to know the password when attempting to open it in a project.

Yes, but when I deploy the project the wizard will ask me for password and therefore the project is decrypted and everyone can export it !

No it is not decrypted when supplying the password for deployment or setting up in an agent job. It will not be viewable in a VS project without supplying the password even if it is exported. The only way to prevent it from being exported is to limit user access to integration services. This is not done through SSIS but through SQL Server security.

Yes, it can be exported with no problem :slight_smile: It first shows a warning and if you click 'YES' you are able to get it fine

Have you tried opening it in Visual Studio?

Yes, of course it can be opened using the Import Project Wizard.

I just want to know whether its possible to stop clients where we will sell the applciation from exporting the packages and stealing algorithms implemented in ssis packages.

I've never used the wizard. I will have to test later on to see why that wouldn't respect the encryption password. Can you list the the steps you're using to achieve this?

1 Like

Hey kejsistruga, were you able to come up with a solution?