SQL Server Always Encrypted Explained
By Tom Nonmacher
In today's data-driven world, database security is of paramount importance. One of the most powerful security features provided by SQL Server 2019 is Always Encrypted. This feature ensures sensitive data, such as credit card numbers or personally identifiable information (PII), is encrypted within the database system - not only when it is at rest, but also during transmission and while in use. This blog post will explore the Always Encrypted feature, discuss its benefits, and provide examples of how to use it.
SQL Server's Always Encrypted feature works by encrypting sensitive data within the application, and never revealing the encryption keys to the Database Engine (SQL Database or SQL Server). Thus, even database administrators, who have high-level access privileges, cannot view the encrypted data. This security measure helps to prevent potential data breaches by making it virtually impossible for anyone without the encryption keys to access the sensitive data.
Here is an example of how to use Always Encrypted in SQL Server 2019. Suppose you have a table called 'Customers' with a column 'CreditCardNumber'. You can encrypt this column using the following T-SQL code:
-- T-SQL code
ALTER TABLE Customers
ALTER COLUMN CreditCardNumber
ADD ENCRYPTED WITH (ENCRYPTION_TYPE = DETERMINISTIC,
ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256',
COLUMN_ENCRYPTION_KEY = MyCEK)
Unfortunately, Always Encrypted is not natively supported in other popular DBMS like MySQL 8.0 and DB2 11.5. However, you can achieve similar functionality by using SSL connections to encrypt data during transmission and stored procedures to encrypt/decrypt data at rest.
For cloud-based solutions, Microsoft offers Always Encrypted for Azure SQL Database and Azure Synapse Analytics. These services offer the same level of security as SQL Server 2019, and you can use a similar T-SQL syntax to encrypt data. The only difference is that, in Azure, the encryption keys are managed in Azure Key Vault, a cloud service for securely storing and accessing cryptographic keys and secrets.
In conclusion, SQL Server's Always Encrypted is a significant feature that can greatly enhance the security of your sensitive data. By encrypting data at rest, in use, and during transmission, it provides a comprehensive security solution for modern applications. Although not natively supported in MySQL and DB2, similar functionality can be achieved with a bit of extra effort. For cloud-based applications, Azure SQL and Azure Synapse offer a seamless integration of Always Encrypted with the added benefit of Azure Key Vault for key management.