Scribd Logo
Upload

Welcome to Scribd!

  • Always Encrypted PDF

    Uploaded by

    rajiv_ndpt8394
    40 views21 pages
    This document provides a beginner's guide to Always Encrypted, which allows data to be encrypted while in use by applications and queries without requiring changes to the application code. It discusses key Always Encrypted concepts like column encryption keys (CEKs), column master keys (CMKs), and key storage options. The document also summarizes the different types of encryption in SQL Server like transparent data encryption (TDE) and column-level encryption. It demonstrates how to encrypt and decrypt data using Always Encrypted and highlights current limitations. Finally, it briefly outlines the new enclave capabilities in Always Encrypted which enable richer computations on encrypted data.

    Original Description:

    Original Title

    Always_Encrypted.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides a beginner's guide to Always Encrypted, which allows data to be encrypted while in use by applications and queries without requiring changes to the application code. It discusses key Always Encrypted concepts like column encryption keys (CEKs), column master keys (CMKs), and key storage options. The document also summarizes the different types of encryption in SQL Server like transparent data encryption (TDE) and column-level encryption. It demonstrates how to encrypt and decrypt data using Always Encrypted and highlights current limitations. Finally, it briefly outlines the new enclave capabilities in Always Encrypted which enable richer computations on encrypted data.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    40 views21 pages

    Always Encrypted PDF

    Uploaded by

    rajiv_ndpt8394
    This document provides a beginner's guide to Always Encrypted, which allows data to be encrypted while in use by applications and queries without requiring changes to the application code. It discusses key Always Encrypted concepts like column encryption keys (CEKs), column master keys (CMKs), and key storage options. The document also summarizes the different types of encryption in SQL Server like transparent data encryption (TDE) and column-level encryption. It demonstrates how to encrypt and decrypt data using Always Encrypted and highlights current limitations. Finally, it briefly outlines the new enclave capabilities in Always Encrypted which enable richer computations on encrypted data.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 21

    ALWAYS ENCRYPTED

    Beginners 101 Guide To Always Encrypted


    MONICA RATHBUN
    Consultant
    Denny Cherry & Associates Consulting

    PASS Mid-Atlantic Regional Mentor


    User Group Leader: Hampton Roads SQL Server User Group

    MRathbun@sqlespresso.com http://www.sqlespresso.com

    @SQLEspresso http://www.linkedin.com/in/sqlespresso
    Always ask Questions PRESENTATION
    RULES

    Interrupt Me

    This is a two way


    conversation, let’s learn from
    each other’s experiences.
    AGENDA
    The Basic Terminology
    Types of Encryption
    What is Always Encrypted (AE)?
    Key Storage
    How to Encrypt/Decrypt
    GOTCHAS
    vNext Enclaves
    ENCRYPTION TERMINOLOGY
    • Encrypt & Decrypt
    • Column Encryption Key (CEK)
    • Column Master Keys (CMK)
    • Certificate
    • Key Vaults
    TYPES OF ENCRYPTION
    Type Usage Things to Note
    Data at Rest,
    Transparent Data Decrypted while in
    Database Level
    Encryption (TDE) motion from Memory
    to Storage processor.
    Column Level DBA Can Get to Data,
    Column Level
    Encryption SQL Knows The Keys
    Dynamic Data Masking Column Level Not Really Encryption
    Encrypted Everywhere
    Always Encryption Column Level
    For Everyone
    WHAT IS
    Available in
    Can be used to
    Block DBA’s AE ?
    from seeing the
    Standard 2016 data
    SP1 STANDARD
    • CEK is stored
    outside of SQL
    Server

    No Code Data Encrypted


    Changes as it is SENT to
    Needed* application
    TWO TYPES OF AE
    Deterministic Randomized

    ABCACBACB,
    ABCACBACB BBBCCAA, or
    CCCAAABBB

    WHERE
    clauses,
    GROUP BY and More Secure
    JOINS.

    Non
    Indexes
    Searchable
    AE GOTCHAS

    Distributed Queries No Default Or Check


    No Partition Columns
    (linked servers) Constraints

    Columns Reference No
    By Computed Transactional/Merge Aggregations
    Columns Replication

    Columns with the


    No Triggers
    IDENTITY property
    WINDOWS Local to Server https://docs.microsoft.com/e
    n-
    CERTIFICATE us/dotnet/framework/wcf/fe
    STORE ature-details/how-to-view-
    certificates-with-the-mmc-
    snap-in

    AZURE KEY Azure


    Vault Subscription
    https://azure.microsoft.com/en-
    Reliable us/services/key-vault/ternet
    Connection
    Internet

    STORING KEYS
    WINDOWS CERTIFICATE STORE

    Two certificate Key store exists


    locations: local on each machine
    machine or current hosting your
    user application
    • Extra Security
    Level
    • Role
    Separation
    • Key Logs to
    Audit Key
    Usage

    AZURE KEY VAULT


    ENCRYPTION DEMO
    DECRYPTION IN SSMS
    SSMS uses .NET 4.6 so you can pass in the
    necessary encryption options. SSMS uses the
    connection string to access the Master Key and
    return the data in its decrypted format.
    DECRYPTION IN
    APPLICATION
    Database Permissions
    • VIEW ANY COLUMN MASTER KEY
    DEFINITION
    • VIEW ANY COLUMN ENCRYPTION KEY
    DEFINITION
    string connectionString = "Data Source=server63;
    Initial Catalog=Clinic; Integrated Security=true;
    Column Encryption Setting=enabled"; These permissions are required to
    SqlConnection connection = new access the metadata about Always
    SqlConnection(connectionString);
    Encrypted keys in the database.
    DECRYPTION IN
    APPLICATION
    Database Permissions
    • VIEW ANY COLUMN MASTER KEY
    DEFINITION
    • VIEW ANY COLUMN ENCRYPTION KEY
    DEFINITION
    string connectionString = "Data Source=server63;
    Initial Catalog=Clinic; Integrated Security=true;
    Column Encryption Setting=enabled"; These permissions are required to
    SqlConnection connection = new access the metadata about Always
    SqlConnection(connectionString); Encrypted keys in the database.
    DECRYPTION DEMO
    An enclave is a protected region of memory that acts as a
    trusted execution environment.
    An enclave appears as a black box to the containing process and to other processes
    running on the machine. There is no way to view the data or the code inside the
    enclave from the outside, even with a debugger.

    VNEXT…ENCLAVES (IN PREVIEW)


    AE USING ENCLAVES (IN PREVIEW)

    Rich • Pattern Matching


    • Range Comparisons
    Computations • Sorting

    • Initial Data Encryption


    In-Place • Rotating a Column Encryption Key
    Encryptions • Changing a Data Type of an Encrypted
    Column
    QUESTIONS?
    MSDN
    https://docs.microsoft.com/en-us/sql/relational-
    databases/security/encryption/always-encrypted-
    database-engine?view=sql-server-2017
    RESOURCES
    Secure Enclaves
    https://blogs.msdn.microsoft.com/sqlsecurity/2017/10/05/ena
    bling-confidential-computing-with-always-encrypted-using-
    enclaves-early-access-preview/

    TDE
    https://docs.microsoft.com/en-us/sql/relational-
    databases/security/encryption/transparent-data-
    encryption?view=sql-server-2017

    Aaron Bertrand Blog


    https://blogs.sentryone.com/aaronbertrand/t-sql-
    tuesday-69-always-encrypted-limitations/

    You might also like