3
2017
SQL Server End to End Encryption – Always Encrypt, SSL
As we know the solution for SQL Server Data at rest encryption is TDE (Transparent Data Encryption) but what if application need End to End data encryption for PII fields, the solution is Always Encrypt columns in SQL 2016 Ent. Ed., from support DBA perspective it’s more of setting it up and supporting it but major liability lies with application developer, they need to validate and implement solution in first place; certainly there are few caveats a developer need to be aware of for e.g. not all variables are supported, only couple of them, hence all such validations need to be performed prior to recommending solution.
From architecture perspective, with SQL 2016, we have capability of end to end data encryption within SQL server, I will post articles in future if implement in my sub system,
Some useful links on the same topic stating limitations, how to setup, minimum requirements, etc.
http://www.sqlchamp.com/2016/07/limitations-always-encrypted/337
https://blogs.sentryone.com/aaronbertrand/t-sql-tuesday-69-always-encrypted-limitations/
This link explains step by step process for DBA to set up always Encrypted :
Migrating Existing data: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/migrate-sensitive-data-protected-by-always-encrypted
Performance impact: https://sqlperformance.com/2015/08/sql-server-2016/perf-impact-always-encrypted
Hope this helps someone looking on this topic.
Possible options for Earlier SQL versions i.e. SQL 2012 and 2008 R2
With SQL 2008 R2 and 2012, instead of always encrypt, SSL option can be enabled which doesn’t do end to end data encrypt but atleast transfer data on secure channel which is still secured and can clear audit guidelines, it require certificates, follow below link to understand it better,
For SSL follow this link: https://support.microsoft.com/en-us/help/316898/how-to-enable-ssl-encryption-for-an-instance-of-sql-server-by-using-mi
Hope it helps!

Leave a comment
Subscribe to this blog via Email
Old Posts
- November 2017 (3)
- October 2017 (4)
- September 2017 (2)
- May 2017 (1)
- April 2017 (1)
- July 2016 (3)
- May 2016 (1)
- April 2016 (1)
- February 2016 (2)
- January 2016 (1)
- October 2015 (1)
- September 2015 (1)
- August 2015 (1)
- July 2015 (2)
- June 2015 (3)
- April 2015 (1)
- March 2015 (1)
- December 2014 (1)
- September 2014 (2)
- April 2014 (1)
- January 2014 (3)
- October 2013 (2)
- September 2013 (2)
- August 2013 (4)
- July 2013 (1)
- June 2013 (2)
- May 2013 (5)
- April 2013 (3)
- March 2013 (1)
- February 2013 (9)
- January 2013 (11)
- December 2012 (14)
- November 2012 (3)
- October 2012 (4)
- July 2012 (2)
- June 2012 (3)
- May 2012 (2)
- April 2012 (8)
- March 2012 (6)
- February 2012 (3)
- January 2012 (1)
- December 2011 (5)
- November 2011 (8)
- October 2011 (5)
- September 2011 (3)
- August 2011 (3)
- July 2011 (3)
- May 2011 (1)
- November 2010 (1)
Tags
Calender
M | T | W | T | F | S | S |
---|---|---|---|---|---|---|
« Nov | ||||||
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
View Post by Categories
Recent Articles
- Setting up Always ON Availability Group in Multi Subnet Cluster – Recommendations
- Configuring Replication with Always ON Availability Group
- Login failed for user ‘DOMAIN\COMPUTER$’. Reason: Could not find a login matching the name provided. [CLIENT: ]
- Modern Servicing Model (Service Pack and Cumulative Updates) for SQL Server 2017 and onwards
- Fix: SSMS 2012 opening Debug window when pressing F5