End to End Always Encrypted
in SQL Server 2016
Steve Jones
SQLServerCentral
Redgate Software
Agenda
• Who am I?
• Encryption Concepts
• Always Encrypted Overview
• Requirements and Setup
• Indexing
• Limitations
Who am I?
Steve Jones
SQLServerCentral founder
Redgate Software Evangelist
www.voiceofthedba.com
[email protected]
@way0utwest
/in/way0utwest
encryption is the process of transforming information
(referred to as plaintext) using an algorithm (called a
cipher) to make it unreadable to anyone except those
possessing special knowledge, usually referred to as a
key. The result of the process is encrypted
information (in cryptography, referred to as
ciphertext).
- Wikipedia
Encryption works with Functions and Keys
The quick brown fox
jumped over the lazy dog.
Encryption Function
0x00059E2EC7419F590E79D7F
1B774BFE601000000DB80B8A
C1B295E367FEAC63C4BD7B8F
8FACD0151B57DF97FF2BBA1E
D9626B0316043C62387BB8E5
D4A17B33C48A554F2A9B2862
6BB250A153FEEF2BFEBCF92E
CF6C421D47C84BF93074E54E
F85C85B1C
X.509 Certificate
Symmetric Key
The quick brown fox
jumped over the lazy dog.
Network
The quick brown
fox jumped.
Server memory
The quick brown
fox jumped.
Server storage
Client memory
The quick brown
fox jumped.
0x043db59a9eb32
d42a43b45fed9
0x043db59a9eb32
d42a43b45fed9
Always Encrypted is different.
• Added in SQL Server 2016 and Azure SQL Database
• SQL Server does not (necessarily) know how to decrypt data
• Client manages the encryption protection
• Data is encrypted in transit and on the server
Always Encrypted
Demo
Always Encrypted Setup
0x_xx.sql
Requirements
• ADO.NET 4.6 driver
• Client side encryption store access
• Local Certificate Store
• Azure Key Vault
• Column Master Key (CMK)
• Column Encryption Key (CEK)
Accessing and Entering Data
• Must use a client application
• Queries must be parameterized
• Only equals operations on encrypted data
Demo
Always Encrypted Data – Working with data
1x_xx.sql queries
Certificates Matter
• The Certificate protects the key and is needed for
encryption/decryption
• The Certificate is needed on the client, not the server
• Certificates can be created by
• SQL Server
• Makecert
• New-SelfSignedCertificate
Demo
Always Encrypted Data – Certificates
2x_xx.sql queries
Indexing and Performance
• Indexes require consistency, or determinism
• Always Encrypted allows encryption that is
• Deterministic
• Random
Encryption Types
• Deterministic Encryption – Same plaintext value with same key =
same encrypted value*
• Random Encryption – Same plaintext value with same key <> same
encrypted value (maybe)
* Note: This does not necessarily mean that someone can derive the
plaintext value from the encrypted values.
Demo
Always Encrypted Types and Indexing
3x_xx.sql
Limitations
•
•
•
•
•
•
•
•
•
Deterministic Encryption requires _BIN2 collation.
A CEK can have two encrypted values (for key rotation)
Queries can only perform operations on deterministic encryption
Only the equals (=) operation is allowed in queries. (No >, <, <>, like, etc.)
Queries must pass values as parameters, not literals.
Limited data types
Key columns in indexes only allow deterministic encryption
No CDC
More (See the Feature Details section)
Limitations – Quiese the Table
One big limitation (from https://blogs.msdn.microsoft.com/sqlsecurity/2015/10/31/ssms-encryptionwizard-enabling-always-encrypted-in-a-few-easy-steps/)
• Note: When using the current version of the wizard, you need to make sure
no other application inserts or updates rows in the tables, containing
encrypted columns, while the encryption workflow is running. During the
encryption workflow, the wizard creates a temporary table, downloads the
data from your original table, encrypts the data and uploads it to the
temporary table. Finally, the wizard deletes the original table and renames
the temporary table to the original table. If another app is inserting or
modifying data in the original table, the new or updated data may be lost.
Make sure, you only run the encryption workflow in a planned maintenance
window. This issue will be addressed in a later version of SSMS.
Demo
Always Encrypted Limitations
Bonus Demo
Always Encrypted Key Rotation
50_KeyRotation.sql
Summary
• Always Encrypted only requires a change to the connection string
• Caveat - collation
• Data is protected once it leave the client
• Encrypted data is protected from system administrators on the server
• Certificate management is crucial to protecting data
The End
• Thank you for coming
• Questions?
• Ask at www.sqlservercentral.com/forums
• Slides/Code at www.voiceofthedba.com/talks
www.voiceofthedba.com
[email protected]
@way0utwest
/in/way0utwest
References
• Always Encrypted (BOL) - https://msdn.microsoft.com/enus/library/mt163865.aspx
• Column Encryption Metadata https://blogs.msdn.microsoft.com/sqlsecurity/2015/07/06/alwaysencrypted-key-metadata/
Images
• http://excellentsecurityinc.com/media/1281/boxinternal2.jpg
• http://themarkconsulting.com/wpcontent/uploads/2015/04/Bank_Vault_3D_Wallpaper-HD.jpg
• https://www.fcbweb.net/wp-content/uploads/2009/10/Safe.jpg
• https://i-msdn.sec.s-msft.com/dynimg/IC797953.jpeg