Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
ALWAYS ENCRYPTED
Beginners 101 Guide To Always Encrypted
MONICA RATHBUNConsultant
Denny Cherry & Associates Consulting
PASS Mid-Atlantic Regional Mentor
User Group Leader: Hampton Roads SQL Server User Group
@SQLEspresso
http://www.sqlespresso.com
http://www.linkedin.com/in/sqlespresso
PRESENTATION RULES
Always ask Questions
Interrupt Me
This is a two way conversation, let’s learn from each other’s experiences.
AGENDA
The Basic Terminology
Types of Encryption
What is Always Encrypted (AE)?
Key Storage
How to Encrypt/Decrypt
GOTCHAS
vNext Enclaves
ENCRYPTION TERMINOLOGY• Encrypt & Decrypt
• Column Encryption Key (CEK)
• Column Master Keys (CMK)
• Certificate
• Key Vaults
TYPES OF ENCRYPTIONType Usage Things to Note
Transparent Data Encryption (TDE)
Database Level
Data at Rest, Decrypted while in motion from Memoryto Storage processor.
Column Level Encryption
Column LevelDBA Can Get to Data, SQL Knows The Keys
Dynamic Data Masking Column Level Not Really Encryption
Always Encryption Column LevelEncrypted Everywhere For Everyone
WHAT IS AE ?
Available in Standard 2016 SP1 STANDARD
Can be used to Block DBA’s from seeing the data
• CEK is stored outside of SQL Server
No Code Changes Needed*
Data Encrypted as it is SENT to
application
TWO TYPES OF AE
Deterministic
ABCACBACB
WHERE clauses,
GROUP BY and JOINS.
Indexes
Randomized
ABCACBACB, BBBCCAA, or CCCAAABBB
More Secure
Non Searchable
Distributed Queries (linked servers)
No Default Or Check Constraints
No Partition Columns
Columns Reference By Computed
Columns
No Transactional/Merge
Replication Aggregations
Columns with the IDENTITY property
No Triggers
AE GOTCHAS
STORING KEYS
WINDOWS CERTIFICATE STORE
Local to Server https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in
AZURE KEY Vault
Azure Subscription
Reliable Internet
https://azure.microsoft.com/en-us/services/key-vault/ternet Connection
WINDOWS CERTIFICATE STORE
Two certificate locations: local
machine or current user
Key store exists on each machine
hosting your application
AZURE KEY VAULT
• Extra Security Level
• Role Separation
• Key Logs to Audit Key Usage
ENCRYPTION DEMO
DECRYPTION IN SSMSSSMS uses .NET 4.6 so you can pass in the necessary encryption options. SSMS uses the connection string to access the Master Key and return the data in its decrypted format.
DECRYPTION IN APPLICATIONDatabase Permissions
• VIEW ANY COLUMN MASTER KEY DEFINITION
• VIEW ANY COLUMN ENCRYPTION KEY DEFINITION
These permissions are required to access the metadata about Always Encrypted keys in the database.
string connectionString = "Data Source=server63; Initial Catalog=Clinic; Integrated Security=true; Column Encryption Setting=enabled"; SqlConnection connection = new SqlConnection(connectionString);
DECRYPTION IN APPLICATIONDatabase Permissions
• VIEW ANY COLUMN MASTER KEY DEFINITION
• VIEW ANY COLUMN ENCRYPTION KEY DEFINITION
These permissions are required to access the metadata about Always Encrypted keys in the database.
string connectionString = "Data Source=server63; Initial Catalog=Clinic; Integrated Security=true;
Column Encryption Setting=enabled"; SqlConnection connection = new SqlConnection(connectionString);
DECRYPTION DEMO
VNEXT…ENCLAVES (IN PREVIEW)
An enclave is a protected region of memory that acts as a trusted execution environment.
An enclave appears as a black box to the containing process and to other processes running on the machine. There is no way to view the data or the code inside the enclave from the outside, even with a debugger.
AE USING ENCLAVES (IN PREVIEW)
• Pattern Matching• Range Comparisons• Sorting
Rich Computations
• Initial Data Encryption• Rotating a Column Encryption Key• Changing a Data Type of an Encrypted
Column
In-PlaceEncryptions
QUESTIONS?
RESOURCESMSDNhttps://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-2017
Secure Enclaves https://blogs.msdn.microsoft.com/sqlsecurity/2017/10/05/enabling-confidential-computing-with-always-encrypted-using-enclaves-early-access-preview/
TDEhttps://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-2017
Aaron Bertrand Bloghttps://blogs.sentryone.com/aaronbertrand/t-sql-tuesday-69-always-encrypted-limitations/