Scribd
Upload
144 views39 pages

SQL Server Data Encryption Guide

Tom Norman presented on encrypting data within SQL Server. He discussed company data breaches to highlight the importance of data protection. He then covered the different types of encryption available in SQL Server, including Transparent Data Encryption, cell level encryption, and Always Encrypted. Always Encrypted allows encryption of sensitive data in client applications and keeps the data encrypted in the database. It supports encryption in SQL Server 2016 and above.

Uploaded by

kon73
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
144 views39 pages

SQL Server Data Encryption Guide

Tom Norman presented on encrypting data within SQL Server. He discussed company data breaches to highlight the importance of data protection. He then covered the different types of encryption available in SQL Server, including Transparent Data Encryption, cell level encryption, and Always Encrypted. Always Encrypted allows encryption of sensitive data in client applications and keeps the data encrypted in the database. It supports encryption in SQL Server 2016 and above.

Uploaded by

kon73
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Tom Norman

Encrypting Data
within
SQL Server
Tom Norman
Data Architect – KPA
Raleigh, North Carolina

2018 KPA Technology Employee of the Year

Microsoft Certified Professional

PASS Virtualization Virtual Group Leader

SQL Saturday Speaker


Raleigh, Denver, Houston, Baltimore, Colorado
Springs, Albuquerque, Chicago, Charlotte, Atlanta,
Spartanburg, Jacksonville, Tampa, Boston, Columbus
GA, Cleveland
Thanks to our sponsors
Agenda
• Company Data Breaches
• Government Regulations
• Data Protection Types
• Encryption in SQL Server
• Always Encrypted
• SSIS with Always Encrypted
Company
Data
Breaches
Company Data Breaches
Aadhaar – 1.1 Billion, 2018
Exactis - 340 Million, 2018
Under Armour - 150 Million, 2018
MyHeritage - 92 Million, 2018
Facebook - 87 Million, 2018
Panera Bread - 37 Million, 2018
Ticketfly - 27 Million, 2018
Sacramento Bee - 19.5 Million, 2018
PumpUp – 6 Million, 2018
Saks, Lord & Taylor – 5 Million, 2018
Source: [Link]
Government
Regulations
Government Regulations

PII - Personal Identifiable Information (US)


GDPR – General Data Protection Regulation (EU)
Google fined 50 Million Euro

PCI - Payment Card Industry (US)


HIPAA – Health Information Privacy (US)
California Consumer Privacy Act of 2018
Effective January 1, 2020
Data
Protection
Types
Types of Encryption

Transparent Data Encryption


Cell Level Encryption
Always Encrypted
Encryption
in
SQL Server
Encryption in SQL Server - TDE
• SQL Server 2005 • Enterprise Edition
• No Application • Data At Rest
Change • Data Files
• Selects – See Data • Log
• SSL - Configure • Files
• Backups
Encryption in SQL Server – Cell Level
• SQL Server 2005 • Enterprise Edition
• Application Change • Selects – See Data
with Decryption
function
Encryption in SQL Server – Always Encrypted
• SQL Server 2016 • Enterprise Edition
• Client Side (RTM)
• .Net 4.6 • Standard Edition
(SP1)
Always
Encrypted
Types of Always Encrypted Data

Randomized - a method that encrypts data in a less predictable


manner. Randomized encryption is more secure, but prevents equality
searches, grouping, indexing, and joining on encrypted columns.

Deterministic - method which always generates the same encrypted


value for any given plain text value. Using deterministic encryption
allows grouping, filtering by equality, and joining tables based on
encrypted values, but can also allow unauthorized users to guess
information about encrypted values
Securing Always Encrypted

• Column Master Key


• Protects column encryption keys.
• Stored in a trusted key store.
• System catalog views.
• View in SSMS
Securing Always Encrypted
• Column Encryption Key
• Protected by Column Master Key.
• Encrypts sensitive column data.
• Column encrypted with single column encryption key.
• System catalog views.
• Backup keys.
Column Master Key

• Windows Certificate Store


• Current User
• Local Machine
• Azure Key Vault
• Key Storage Provider
Always Encrypted

• SSL Encrypted
• Data Encrypted in Memory
• No DML without permissions
• Missing .Net 4.6 returns varbinary field type
• Correct setup returns field type
Always Encrypted

• See data in SSMS


• Yes, Access to Column Master Key
• No, no access to Column Master Key
• Connection string parameter
• Column Encryption Setting = Enabled
• Query Option
• Parameterization for Always Encrypted
Always Encrypted Limitations - 2016

• Not Allowed
• Order By
• Cast / Convert
• Temp Tables
• .Net Core CLR SQL Provider
Always Encrypted Limitations - 2016

• Not Allowed
• Like
• Range
• Indexes
• Check Constraints
Always Encrypted Issues - 2016

• Issues
• Field Type vs Parameter Type
• SSMS Wizard Slow
• SSDT convert existing fields
• SSDT publish profile
Always Encrypted - 2019

• Secure Enclave
• Windows Server 2019 / Windows 10 Build 1809
• .Net Framework 4.7.2
• .Net Framework Data Provider for SQL Server
• Configure Host Guardian Service in environment
• Register service hosting SQL Server
Always Encrypted - 2019
Always Encrypted - 2019

Column is NOT enclave- Column is NOT enclave-


Operation enabled enabled Column is enclave-enabled Column is enclave-enabled

Randomized encryption Deterministic encryption Randomized encryption Deterministic encryption

In-place encryption Not Supported Not Supported Supported Supported

Equality comparison Not Supported Supported outside of the Supported (inside the Supported outside of the
enclave enclave) enclave

Comparison operators Not Supported Not Supported Supported Not Supported


beyond equality

LIKE Not Supported Not Supported Supported Not Supported


SSIS
with
Always
Encrypted
SSIS

Use ADO Net connection strings


Connection Manager Properties
Enable Column Encryption Setting
BCP

ALTER USER Bob


WITH ALLOW_ENCRYPTED_VALUE_MODIFICATIONS = ON;
What
Column
Do I
Encrypt?
What Column Do I Encrypt?
• First Name
• Last Name
• Birthdate
• Address
• Email
• Phone
• Tax Id Number
• Driver’s License Number
• Medical Evaluation Notes
What Column Do I Encrypt?
• First Name - No
• Last Name - No
• Birthdate - No
• Address - No
• Email - Yes
• Phone - Yes
• Tax Id Number - Yes
• Driver’s License Number - Yes
• Medical Evaluation Notes - Yes
References
TDE - Setup
[Link]
[Link]

Always Encrypted - Features


[Link]
databases/security/encryption/always-encrypted-
database-engine?view=sql-server-2017#feature-details
References
Always Encrypted – SSMS Modify Data
[Link]
3/parameterization-for-always-encrypted-using-ssms-to-
insert-into-update-and-filter-by-encrypted-columns/

Always Encrypted – SQL Server 2019


[Link]
databases/security/encryption/always-encrypted-
enclaves?view=sqlallproducts-allversions
Questions
Consistent Releases
Tom Norman
Email:
ArmorDba@[Link]
Twitter:
@ArmorDba
LinkedIn:
[Link]/in/armordba
Blog:
[Link]
Demo

You might also like