Part III

Encryption
Objectives
 Encryption Concepts
o Symmetric Keys
o Asymmetric Keys
o Certificates
o Windows Data Protection API
 SQL Server Encryption Concepts
o Service Master Key
o Database Master Key
o Hierarchy
 Transparent Data Encryption
 Managing Cell-Level Encryption
 Always Encrypted
What is Encryption

• Encryption is process of obfuscating data with

an algorithm using keys and certificates.
• Encryption is additional layer of security over
and above access control, but it does not replace
the need for an access control implementation.
• Encrypting data also has the potential to
considerably degrade performance, so you
should use it on the basis of need.
Encryption Concepts - Symmetric Keys
Symmetric key
• an algorithm to encrypt data, using same
algorithm for both encrypting and decrypting
data.
• weakest form of encryption.
• encryption method has least performance
overhead.
Encrypt a symmetric key with a password or with
another key or certificate.
Encryption Concepts - Asymmetric Keys

Asymmetric key
• An algorithm to encrypt data, using a pair of
keys or algorithms.
• Key is used to encrypt the data is called the
private key (only known by owner)
• Key that is used to decrypt the data is known as
the public key (everyone has access).
Encryption Concepts - Certificates
A certificate is issued by a trusted source, known as a
certificate authority (CA).

It uses an asymmetric key and provides a digitally

signed statement, which binds the public key to a
principal or device, which holds the corresponding
private key.

Electronic document that contains an entity’s

public key and certifies the identity of the owner
of that particular public key.
Windows Data Protection API

The Windows Data Protection API (DPAPI) is a

cryptographic application programming interface
(API) that ships with the Windows operating
system, allowing keys to be encrypted by using
user or domain secret information.

DPAPI is used to encrypt the Service Master Key,

which is the top level of the SQL Server encryption
hierarchy.
SQL Server Encryption Concepts – Master Key

Service Master Key

• The root level of the SQL Server encryption
hierarchy.
• is created automatically when the instance is built.
• used to encrypt database master keys, credentials, and
linked servers’ passwords using the DPAPI.
• is stored in the Master database, and there is always
precisely one per instance.
• is a symmetric key that is generated using the AES
256 algorithm.
SQL Server Encryption Concepts – Master Key

Regenerate the Service Master Key :

Take a backup of it after it has been created or

regenerated and store it in a secure, offsite
location for the purpose of disaster recovery.
SQL Server Encryption Concepts – Master Key
Database Master Key
• is a symmetric key used to protect the private keys of
certificates and asymmetric keys that are present in the
database.
• when it is created, Database master key is encrypted by
using the AES_256 algorithm and a user-supplied password
• a copy is created that is encrypted using the Service Master
Key, allowing Database Master Key to be opened
automatically when it is needed.
• a copy of the Database Master Key is stored within the
database, and another copy is stored within the Master
database.
• should be backed up and stored in a secure offsite location.
SQL Server Encryption Concepts – Master Key

Creating a Database Master Key

Backing Up and Restoring a Database Master Key

SQL Server Encryption Concepts – Hierarchy
SQL Server Encryption Concepts – Hierarchy
An Extensible Key Management (EKM) module generate
and manage keys and certificates used to secure SQL
Server data in third-party hardware security modules,
which interface with SQL Server using the Microsoft
Cryptographic API (MSCAPI).
Enabling EKM and Importing the EKM Module
Transparent Data Encryption
Transparent Data Encryption (TDE) encrypts
data pages and log file of a database by storing
the key, known as a Database Encryption Key,
in the boot record of the database.

Once you enable TDE on a database, pages are

encrypted before they are written to disk, and
they are decrypted when they are read into
memory.
Transparent Data Encryption

Advantages over cell-level encryption

• Database encrypted with TDE is the same size as it
was before it was encrypted.
• Performance overhead significantly less than the
performance overhead associated with cell-level
encryption
• Encryption is transparent to applications, meaning
that developers do not need to modify their code to
access the data.
Transparent Data Encryption
• Data within the In-Memory filegroup is not
encrypted, and TDE only encrypts data when it
is on disk.
• FILESTREAM data is not encrypted even when
transparent data encryption is enabled.
• High availability, disaster recovery technologies
such as database mirroring,AlwaysOn
Availability Groups, and log shipping are
supported with databases that have TDE enabled.
• Data on the replica database is also encrypted,
and the data within the log is encrypted.
Implementing TDE
• First, create a Database Master Key.
• Create a certificate, using Database Master Key
to encrypt the certificate.
• Create Database Encryption Key
• Finally, alter the database to turn encryption on.
Implementing TDE
When you enable TDE for a database, a background
process moves through each page in every data file and
encrypts it. This does not stop the database from being
accessible, but it does take out locks.
While the encryption scan is in progress, the following
operations cannot be performed:
• Dropping a file
• Dropping a filegroup
• Dropping the database
• Detaching the database
• Taking the database offline
• Setting the database as read_only
Implementing TDE
Managing TDE
Backing up this certificate is critical.
If certificate becomes unavailable, no way to recover
data within database.
Migrating an Encrypted Database
By the very nature of TDE, the following operation are
fails.
• move TEST database to a new instance,
• detached the database and attempted to attach it to the new
instance.
Instead, first create a Database Master Key with the same
password and then restore the server certificate and
private key to the new instance.
Managing Cell-Level Encryption
Cell-level encryption allows you to encrypt a single
column, or even specific cells from a column, using a
symmetric key, an asymmetric key, a certificate, or a
password.

Not Advantages over TDE encryption

• significant performance impact
• size of the data is much larger after the data has been
encrypted (Bloat)
• implementing cell-level encryption is a manual
process that requires you to make code changes to
applications.
Managing Cell-Level Encryption
Encrypted data must be stored as one of the binary
data types (binary, varbinary, varbinary(max))
Managing Cell-Level Encryption
Managing Cell-Level Encryption
Add an authenticator column, when the data is
encrypted, the authenticator column is encrypted along
with the data.

Encrypting a Column Using an Authenticator

Always Encrypted
Always Encrypted is a technology to protect data against
privileged users, such as members of the sysadmin role.
Always Encrypted uses two separate types of key:
o column encryption key is used to encrypt the data within a
column.
o column master key is used to encrypt the column encryption
keys.
 Column master key is not stored in the database engine. it
is stored in an external key store.
 Key store used could be an HSM (hardware security
module), Windows Certificate Store, or an EKM
provider, such as Azure Key Vault or Thales.
 SQL Server then stores the location of the column master
key, within the database metadata.
Always Encrypted
Instead of SQL Server being responsible for the encryption and
decryption of data, this responsibility is handled by the client
driver.
• when an application issues a request, which will require data to
either be encrypted or decrypted.
• client driver liaises with database engine to determine the
location of the column master key.
• database engine also provides encrypted column, encrypted
values of column encryption keys and the algorithm used to
encrypt it.
• client driver can now contact external key store and retrieve
column master key to decrypt column encryption key.
• plaintext version of column encryption key can then be used to
encrypt or decrypt the data.
Always Encrypted
Always Encrypted has some significant limitations, including an
inability to perform non-equality comparisons (even equality
comparisons are only available with deterministic encryption).

Always Encrypted with secure enclaves addresses these limitations

by allowing some computations on plaintext data inside a secure
enclave on the server side.

Secure Enclaves work, by using a protected area of memory, inside

SQL Server process, as a trusted execution environment. Within this
memory region, data is decrypted and computations performed.

Always Encrypted is available in all editions of Azure SQL Database, starting

with SQL Server 2016 (13.x) and all service tiers of SQL Database.
Administering Keys
Metadata about keys is exposed through system tables and
dynamic management views.

Details regarding Column Master Keys can be found in

the sys.column_master_keys table.

Details of Column Encryption Keys can be found in the

sys.column_encryption_keys system table.
Administering Keys