Oct
3
2017
Link•o•logy // Sql Server 2008 R2 // Sql Server 2012 // SQL Server 2014 // SQL Server 2016 // SQL Server 2017 // SQL Server Encryption // SQL Server Features // SQLServer // Useful Tweaks and Tips

SQL Server End to End Encryption – Always Encrypt, SSL

Author An article by contactng    Comments No Comments

As we know the solution for SQL Server Data at rest encryption is TDE (Transparent Data Encryption) but what if application need End to End data encryption for PII fields, the solution is Always Encrypt columns in SQL 2016 Ent. Ed., from support DBA perspective it’s more of setting it up and supporting it but major liability lies with application developer, they need to validate and implement solution in first place; certainly there are few caveats a developer need to be aware of for e.g. not all variables are supported, only couple of them, hence all such validations need to be performed prior to recommending solution.

From architecture perspective, with SQL 2016, we have capability of end to end data encryption within SQL server, I will post articles in future if implement in my sub system,

Some useful links on the same topic stating limitations, how to setup, minimum requirements, etc.

http://www.sqlchamp.com/2016/07/limitations-always-encrypted/337

https://blogs.sentryone.com/aaronbertrand/t-sql-tuesday-69-always-encrypted-limitations/

This link explains step by step process for DBA to set up always Encrypted :

https://www.red-gate.com/simple-talk/sql/database-administration/sql-server-encryption-always-encrypted/

Migrating Existing data: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/migrate-sensitive-data-protected-by-always-encrypted

Performance impact: https://sqlperformance.com/2015/08/sql-server-2016/perf-impact-always-encrypted

Hope this helps someone looking on this topic.

 

Possible options for Earlier SQL versions i.e. SQL 2012 and 2008 R2

With SQL 2008 R2 and 2012, instead of always encrypt, SSL option can be enabled which doesn’t do end to end data encrypt but atleast transfer data on secure channel which is still secured and can clear audit guidelines, it require certificates, follow below link to understand it better,

For SSL follow this link: https://support.microsoft.com/en-us/help/316898/how-to-enable-ssl-encryption-for-an-instance-of-sql-server-by-using-mi

Hope it helps!

Download PDF

About the Author: Nitin G

Indian born, trekker, biker, photographer, lover of monsoons. I've been working full time with SQL Server since year 2005 and blogs to post the content aquired during my research on new topics or fixing issues faced by me as a DBA while working in different kind of projects, hope some of my posts may helps others in SQLDBA community. Everything you read on my blog is my own personal opinion and any code is provided "AS-IS" with no warranties!

Leave a comment

Subscribe to this blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 236 other subscribers

Translate this blog!

EnglishFrenchGermanItalianPortugueseRussianSpanish

Old Posts

Tags

80040e31 ACO5422E agent not starting AWE cache cluster connection datacollector error failure lock pages in memory maintenance plan Maintenance plan error microsoft Migration MSDTC OLEDB error outlook RAM Replication Script SQL2000 SQL agent SQL login sql server SQLServer SQL Server 2000 SQL Server 2005 SQL Server 2005 SP2 SQL Server 2008 SQLServer2008 SQL Server 2008 R2 SQL Server 2012 SQL Server Denali t-sql tdp sql v5.5.1 tdp v5.5.1 timeout error tips tivoli Tivoli Data Protection transactional replication upgrade Windows x64

Calender

October 2019
M T W T F S S
« Nov    
 123456
78910111213
14151617181920
21222324252627
28293031  

View Post by Categories

Recent Articles

%d bloggers like this: