Presentation is loading. Please wait.

Presentation is loading. Please wait.

End to End Always Encrypted in SQL Server 2016 Steve Jones SQLServerCentral Redgate Software.

Published byGeorgia Karen Grant Modified over 8 years ago

Similar presentations

Presentation on theme: "End to End Always Encrypted in SQL Server 2016 Steve Jones SQLServerCentral Redgate Software."— Presentation transcript:

1 End to End Always Encrypted in SQL Server 2016 Steve Jones SQLServerCentral Redgate Software

2 Agenda Who am I? Encryption Concepts Always Encrypted Overview Requirements and Setup Indexing Limitations

3 Who am I? www.voiceofthedba.com sjones@sqlservercentral.com @way0utwest Steve Jones SQLServerCentral founder Redgate Software Evangelist /in/way0utwest

4 encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext).informationplaintextalgorithm cipher keyciphertext - Wikipedia

5 Encryption works with Functions and Keys The quick brown fox jumped over the lazy dog. Encryption Function 0x00059E2EC7419F590E79D7F 1B774BFE601000000DB80B8A C1B295E367FEAC63C4BD7B8F 8FACD0151B57DF97FF2BBA1E D9626B0316043C62387BB8E5 D4A17B33C48A554F2A9B2862 6BB250A153FEEF2BFEBCF92E CF6C421D47C84BF93074E54E F85C85B1C

6

7

8 X.509 Certificate Symmetric Key The quick brown fox jumped over the lazy dog.

9 The quick brown fox jumped. Client memory Network Server memory The quick brown fox jumped. 0x043db59a9eb32 d42a43b45fed9 Server storage

10 Always Encrypted is different. Added in SQL Server 2016 and Azure SQL Database SQL Server does not (necessarily) know how to decrypt data Client manages the encryption protection Data is encrypted in transit and on the server

11 Always Encrypted

12 Demo Always Encrypted Setup 0x_xx.sql

13 Requirements ADO.NET 4.6 driver Client side encryption store access Local Certificate Store Azure Key Vault Column Master Key (CMK) Column Encryption Key (CEK)

14 Accessing and Entering Data Must use a client application Queries must be parameterized Only equals operations on encrypted data

15 Demo Always Encrypted Data – Working with data 1x_xx.sql queries

16 Certificates Matter The Certificate protects the key and is needed for encryption/decryption The Certificate is needed on the client, not the server Certificates can be created by SQL Server Makecert New-SelfSignedCertificate

17 Demo Always Encrypted Data – Certificates 2x_xx.sql queries

18 Indexing and Performance Indexes require consistency, or determinism Always Encrypted allows encryption that is Deterministic Random

19 Encryption Types Deterministic Encryption – Same plaintext value with same key = same encrypted value* Random Encryption – Same plaintext value with same key <> same encrypted value (maybe) * Note: This does not necessarily mean that someone can derive the plaintext value from the encrypted values.

20 Demo Always Encrypted Types and Indexing 3x_xx.sql

21 Limitations Deterministic Encryption requires _BIN2 collation. A CEK can have two encrypted values (for key rotation) Queries can only perform operations on deterministic encryption Only the equals (=) operation is allowed in queries. (No >,, like, etc.) Queries must pass values as parameters, not literals. Limited data types Key columns in indexes only allow deterministic encryption No CDC More (See the Feature Details section) More

22 Limitations – Quiese the Table One big limitation ( from https://blogs.msdn.microsoft.com/sqlsecurity/2015/10/31/ssms-encryption- wizard-enabling-always-encrypted-in-a-few-easy-steps/ ) https://blogs.msdn.microsoft.com/sqlsecurity/2015/10/31/ssms-encryption- wizard-enabling-always-encrypted-in-a-few-easy-steps/ Note: When using the current version of the wizard, you need to make sure no other application inserts or updates rows in the tables, containing encrypted columns, while the encryption workflow is running. During the encryption workflow, the wizard creates a temporary table, downloads the data from your original table, encrypts the data and uploads it to the temporary table. Finally, the wizard deletes the original table and renames the temporary table to the original table. If another app is inserting or modifying data in the original table, the new or updated data may be lost. Make sure, you only run the encryption workflow in a planned maintenance window. This issue will be addressed in a later version of SSMS.

23 Demo Always Encrypted Limitations

24 Bonus Demo Always Encrypted Key Rotation 50_KeyRotation.sql

25 Summary Always Encrypted only requires a change to the connection string Caveat - collation Data is protected once it leave the client Encrypted data is protected from system administrators on the server Certificate management is crucial to protecting data

26 The End Thank you for coming Questions? Ask at www.sqlservercentral.com/forumswww.sqlservercentral.com/forums Slides/Code at www.voiceofthedba.com/talkswww.voiceofthedba.com/talks www.voiceofthedba.com sjones@sqlservercentral.com @way0utwest /in/way0utwest

27 References Always Encrypted (BOL) - https://msdn.microsoft.com/en- us/library/mt163865.aspxhttps://msdn.microsoft.com/en- us/library/mt163865.aspx Column Encryption Metadata - https://blogs.msdn.microsoft.com/sqlsecurity/2015/07/06/always- encrypted-key-metadata/ https://blogs.msdn.microsoft.com/sqlsecurity/2015/07/06/always- encrypted-key-metadata/

28 Images http://excellentsecurityinc.com/media/1281/boxinternal2.jpg http://themarkconsulting.com/wp- content/uploads/2015/04/Bank_Vault_3D_Wallpaper-HD.jpg http://themarkconsulting.com/wp- content/uploads/2015/04/Bank_Vault_3D_Wallpaper-HD.jpg https://www.fcbweb.net/wp-content/uploads/2009/10/Safe.jpg https://i-msdn.sec.s-msft.com/dynimg/IC797953.jpeg

Download ppt "End to End Always Encrypted in SQL Server 2016 Steve Jones SQLServerCentral Redgate Software."

Similar presentations

II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.

II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
Overview and Roadmap for Microsoft SQL Server Security

Overview and Roadmap for Microsoft SQL Server Security
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
An Encryption Primer Steve Jones Editor in Chief SQLServerCentral.

An Encryption Primer Steve Jones Editor in Chief SQLServerCentral.
How to Take Advantage of Contained Databases in SQL Server 2012 Steve Jones SQLServerCentral Red Gate Software.

How to Take Advantage of Contained Databases in SQL Server 2012 Steve Jones SQLServerCentral Red Gate Software.
VMware vCenter Server Module 4.

VMware vCenter Server Module 4.
Database Key Management CSCI 5857: Encoding and Encryption.

Database Key Management CSCI 5857: Encoding and Encryption.
OM. Brad Gall Senior Consultant

OM. Brad Gall Senior Consultant
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
Introduction to SQL Steve Perry

Introduction to SQL Steve Perry
Computer Science 101 Database Concepts. Database Collection of related data Models real world “universe” Reflects changes Specific purposes and audience.

Computer Science 101 Database Concepts. Database Collection of related data Models real world “universe” Reflects changes Specific purposes and audience.
3.3 Digital Communication Security. Overview Demonstrate knowledge and understanding of basic network security measures, e.g. passwords, access levels,

3.3 Digital Communication Security. Overview Demonstrate knowledge and understanding of basic network security measures, e.g. passwords, access levels,
Advanced Windows 8 Apps Using JavaScript Jump Start 70-482 Exam Prep M5: Data, Files, and Encryption Michael Palermo Microsoft Technical Evangelist Jeremy.

Advanced Windows 8 Apps Using JavaScript Jump Start Exam Prep M5: Data, Files, and Encryption Michael Palermo Microsoft Technical Evangelist Jeremy.
By: Matt Batalon, MCITP  Another form of temporary storage that can be queried or joined against, much like a table variable, temp.

By: Matt Batalon, MCITP  Another form of temporary storage that can be queried or joined against, much like a table variable, temp.
Understanding SQL Server 2008 Change Data Capture Bret Stateham Training Manager Vortex Learning Solutions blogs.netconnex.com.

Understanding SQL Server 2008 Change Data Capture Bret Stateham Training Manager Vortex Learning Solutions blogs.netconnex.com.
Chapter 17 Creating a Database.

Chapter 17 Creating a Database.
Objectives In this lesson, you will learn to: *Identify the need for ADO.NET *Identify the features of ADO.NET *Identify the components of the ADO.NET.

Objectives In this lesson, you will learn to: *Identify the need for ADO.NET *Identify the features of ADO.NET *Identify the components of the ADO.NET.

Similar presentations

Ads by Google