Skill No 1 – Encryption – Data Management Engineer

Configure Data Access – Column Level Encryption

Introduction

In today’s world, data security is more critical than ever. The ability to encrypt data at the column level is a critical capability in any modern database engine with the increasing number of data breaches, organizations must protect their sensitive information from unauthorized access. One way to accomplish this is through column-level encryption in SQL Server also applicable in Oracle. In this article, we will discuss how to implement column-level, including examples and use cases, while emphasizing the importance of security and performance efficiency.

What is Column-Level Encryption?

Column-level encryption is a method of encrypting individual columns within a database table. This type of encryption protects sensitive information such as credit card numbers, social security numbers, and personal information. When implemented correctly, column-level encryption can provide a higher level of security than database-level encryption.

To understand and implement encryption in SQL Server you need to understand its encryption hierarchy and key management architecture. Layers of encryption are protected by preceding layers of encryption that can use asymmetric keys, certificates, and symmetric keys.

Extensible Key Management SQL Server EKM

enables the encryption keys that protect the database files to be stored outside of the SQL Server environment such as a smartcard, a USB device, and the EKM module of Hardware Security Module (HSM). It also helps secure the SQL Server instance from database administrators because they will not necessarily have access to the external EKM/HSM module.

Service Master Key The Service Master Key (SMK)

is the root of the database engine’s encryption hierarchy and is generated automatically the first time it is needed to encrypt another key. By default, the SMK is encrypted using the Windows data protection API (DPAPI) at the operating system level, which uses the local machine key. The SMK can only be opened by the Windows service account that created it, or by a principal that knows the service account name and its password.

Database Master Key

The Database Master Key (DMK) is a symmetric key used to protect the private keys of certificates and asymmetric keys that are present in the database. When created it is encrypted using AES_256 and a password you provide. Query the [sys].[symmetric_keys] catalog view to get information about the DMK.

Asymmetric Key

An asymmetric key consists of a private and corresponding public key. Asymmetric encryption is computationally more expensive, but more secure than symmetric encryption. You can use an asymmetric key to encrypt a symmetric key within a database.

Symmetric Key

A symmetric key is a single key that uses encryption.
Symmetric encryption is generally used over asymmetric encryption because it is faster and less computationally expensive. Certificate Certificates are a digitally signed security object that contain a public (and optionally a private) key for SQL Server, which can generate certificates. You can also use externally generated certificates, and just like with asymmetric keys, certificates can be used in asymmetric encryption.

Implementing Column-Level Encryption in SQL Server

SQL Server offers two options for column-level encryption: symmetric and asymmetric encryption. Let’s take a look at both options.

Symmetric Encryption

Uses the same key to encrypt and decrypt data. This type of encryption is faster and more efficient than asymmetric encryption. However, it is less secure since the same key is used to encrypt and decrypt the data.

To implement symmetric encryption in SQL Server, follow these steps:

Step 1: Create a Master Key

The first step is to create a master key that will be used to protect the symmetric key. You can create a master key using the following T-SQL command:

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'VeryStrongPasswd';

Step 2: Create a Symmetric Key

The next step is to create a symmetric key that will be used to encrypt and decrypt the data. You can create a symmetric key using the following T-SQL command:

CREATE SYMMETRIC KEY MySymmetricKey

WITH ALGORITHM = AES_256

ENCRYPTION BY PASSWORD = 'MyStrongPassword';

Step 3: Encrypt the Column

Once you have created the symmetric key, you can use it to encrypt the column using the following T-SQL command:

UPDATE MyTable SET MyColumn = ENCRYPTBYKEY(KEY_GUID('MySymmetricKey'), MyColumn);

To decrypt the column, you can use the following T-SQL command:

SELECT CONVERT(varchar, DECRYPTBYKEY(MyColumn)) AS MyColumn

FROM MyTable;

Asymmetric Encryption

Uses a public key to encrypt the data and a private key to decrypt it. This type of encryption is more secure than symmetric encryption but is slower and less efficient.

To implement asymmetric encryption in SQL Server, follow these steps:

Step 1: Create a Master Key

The first step is to create a master key that will be used to protect the asymmetric key. You can create a master key using the following T-SQL command:

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyStrongPassword';

Step 2: Create an Asymmetric Key

The next step is to create an asymmetric key pair. You can create an asymmetric key pair using the following T-SQL command:

CREATE ASYMMETRIC KEY MyAsymmetricKey

WITH ALGORITHM = RSA_2048 ENCRYPTION BY PASSWORD = 'MyStrongPassword';

Step 3: Create a Certificate

Once you have created the asymmetric key pair, you can create a certificate using the following T-SQL command:

CREATE CERTIFICATE MyCertificate

AUTHORIZATION dbo FROM ASYMMETRIC KEY MyAsymmetricKey;

Step 4: Encrypt the Column

Finally, you can use the certificate to encrypt the column using the following T-SQL command:

UPDATE MyTable

SET MyColumn = ENCRYPTBYCERT(CERT_ID('MyCertificate'), MyColumn);

Check this out another exercise!

USE tempdb; GO 

-- Create sample table 

CREATE TABLE Employees (EmployeeID INT PRIMARY KEY,EmployeeName VARCHAR(300),Position VARCHAR(100), Salary VARBINARY(128) ); GO 

-- Create SMK 

CREATE SYMMETRIC KEY SMK_Emp WITH ALGORITHM = AES_256 ENCRYPTION BY PASSWORD = 'Pa$$w0rd'; GO 

-- Open SMK 

OPEN SYMMETRIC KEY SMK_Emp DECRYPTION BY PASSWORD = 'Pa$$w0rd'; GO 

-- Verify open keys 

SELECT * FROM sys.openkeys; GO 

-- Insert data 

INSERT Employees VALUES (1, 'Marcus', 'CTO', ENCRYPTBYKEY(KEY_GUID('SMK_Emp'),'$100000')); INSERT Employees VALUES (2, 'Christopher', 'CIO',ENCRYPTBYKEY(KEY_GUID('SMK_Emp'),'$200000')); INSERT Employees VALUES (3, 'Isabelle', 'CEO',ENCRYPTBYKEY(KEY_GUID('SMK_Emp'),'$300000')); GO 

-- Query table with encrypted values 

SELECT * FROM Employees; GO 

-- Query table with decrypted values 

SELECT *, CONVERT(VARCHAR, DECRYPTBYKEY(Salary)) AS DecryptedSalary FROM Employees; GO 

-- Close SMK 

CLOSE SYMMETRIC KEY SMK_Emp GO 

-- Query table with decrypted values after key SMK is closed 

SELECT *, CONVERT(VARCHAR, DECRYPTBYKEY(Salary)) AS DecryptedSalary FROM Employees; GO 

-- Clever CTO updates their salary to match CEO's salary 

UPDATE Employees SET Salary = (SELECT Salary FROM Employees WHERE Position = 'CEO') WHERE EmployeeName = 'Marcus'; GO 

-- Open SMK and query table with decrypted values 

OPEN SYMMETRIC KEY SMK_Emp DECRYPTION BY PASSWORD = 'Pa$$w0rd'; SELECT *, CONVERT(VARCHAR, DECRYPTBYKEY(Salary)) AS DecryptedSalary FROM Employees; GO 

-- Cleanup (Optional)

DROP TABLE Employees; 
DROP SYMMETRIC KEY SMK_Emp; 
GO

Need more Review? Encryption authenticators

For more information on authenticators SQL Server supports a number of different system functions that support encryption, decryption, digital signing and validation of digital signatures. To familiarize yourself with these functions visit https://technet.microsoft.com/enus/library/ms365192(v=sql.105).aspx.

March 1, 2023

Data Management Engineer

Skill No 1 - Encryption, SQL Server

Introduction

Database encryption increases the security of your data at rest and during transportation. With recent security vulnerabilities, many organisations have taken data encryption seriously. However, database management systems are a common target for attackers because they hold the most valuable asset for most organisations. Once an attacker has gained access to valuable data on your server, they will likely steal it. They then use the data to demand payment in exchange, manipulate data, or achieve monetary profit from the organisation they have attacked.

Security Regulations Compliance

Encryption is one of the most critical requirements for security regulations such as PCI-DSS. It is a statutory requirement. For example, all cardholder data must be encrypted (e.g., AES-256, RSA 2048), truncated, tokenised, or hashed (approved hash algorithms specified in FIPS 180-4: SHA-1, SHA-224, SHA-256, SHA-384 SHA-512, SHA-512/224, and SHA-512/256). Although this is not the only requisite for having encrypted data, PCI-DSS also needs that the PCI-DSS encryption key management process is supported (we are going to discuss this in the future)

Protecting Sensitive Data

With centralised key management and simple APIs for data encryption, encryption key management is ideal for protecting sensitive data. Examples of these key management include using Hashicorp Vault (open source) if you use the public cloud like OCI Oracle using Oracle’s manage keys, Amazon Web Service (AWS) Key Management, likely also talking about in the near future about this.

Data Encryption…What is it?

Encoding data is the process of encrypting it. It is primarily a two-way function, meaning encrypted data must be decrypted using a valid encryption key. Encryption is one such Cryptography technique. Encryption is a method of concealing information by altering it so that it appears to be random data – encryption methods can make your data (for example, messages) confidential. Still, other techniques and strategies are required to ensure the message’s integrity and authenticity. Encryption is primarily a mathematical process.

There are two basic types for encrypting data in a database. Data at rest and data in transit.

Data-at-Rest Encryption

Is data that is stored in a system; this data is encrypted using an algorithm to convert text or code into unreadable. To decode the encrypted data, you must have an encryption key. Encrypting an entire database should be done cautiously because it can significantly impact performance. As a result, it is best to encrypt only individual fields or tables. Data-at-rest encryption protects data from physical theft of hard drives or unauthorised file storage access. This encryption also complies with data security regulations, mainly if the filesystem contains financial or health data. For example, your PostgreSQL’s data_directory, MySQL/MariaDB data_dir, or MongoDB’s dbPath storage locations. Transparent Data Encryption (TDE) is a common process for providing encryption. The concept is mainly encrypting everything that is persistent. We are going to explain in detail Encryption on Oracle and SQL Server in detail.

Data in-Transit Encryption

Data-in-transit refers to data that is transferred or moved between transactions. This data type can be seen in the data that moves between the server and the client while browsing web pages. Because it is constantly in motion, it must be encrypted to prevent data theft or alteration before it reaches its destination. The ideal situation for protecting data-in-transit is to be encrypted before it moves and decrypted once it arrives at its destination.

Advantages of Data Encryption

It ensures the security of all of your data at all times.
Whatsoever times, privacy and sensitive information are protected.
It safeguards your data across devices.
Ensure government regulatory compliance.
It offers you a competitive advantage.
The presence of underlying encryption technology for data protection may increase trust.
Encrypted data is much more secure.

Disadvantages

Encryption employs complex and sophisticated mathematical operations to conceal the meaning of data. Depending on which cyphers or algorithms you use for hashing or deciphering the data. If your database is designed to handle many requests, it will saturate your resources, particularly the CPU.

Attempting to set up data encryption, such as TLS for in-transit or using RSA 2048 bits, can be prohibitively expensive if your financial resources have not been budgeted for this type of consequence. It consumes many resources and puts additional strain on the system’s processor.

Losing the data encryption keys, you will never lose your keys; keep them in a secure place.

Data encryption impacts recovery time, RTO

Encryption Architecture

To understand and implement encryption in SQL Server, you must understand its encryption hierarchy and key management architecture. Layers of encryption are protected by preceding layers of encryption that can use asymmetric keys, certificates, and symmetric keys. (See the graphic above)

Extensible Key Management
Service Master Key
Database Master Key
Asymmetric Key
Symmetric Key
Certificate

Implement column-level encryption

When implementing column-level encryption, consider the following.

Encrypted data cannot be compressed, but compressed data can be encrypted. When using compression, you should compress data before encrypting it for optimal results.
Stronger encryption algorithms consume more processors and resources. SQL Server 2016, the database can take advantage of hardware acceleration, using Intel AES-NI when performing encryption/decryption tasks.
Many database engines support algorithms compatibility 130 or above are AES.128, AES-192, and AES-256

Symmetric keys can encrypt and decrypt data quickly, but it’s more difficult to secure should a key get lost or fall into the wrong hands. They can be password-protected, though, meaning that someone would need to know the password in order to use the key for encryption and decryption. So there’s a little protection provided there against unauthorized use.

Asymmetric keys work a little differently. These keys come in pairs, generally noted as public and private keys. The matching public key can only decrypt data encrypted with a private key and data encrypted with a public key can only be decrypted with the matching private key. This allows you to share the public key with anyone who needs to send you secure information. They can encrypt the data on their end with the public key and then transmit the encrypted values, and be sure that you will be the only one to decrypt them.

Continue reading Continue reading

February 18, 2023

Jairo Suarez Carrillo

Skill No 1 - Encryption

Skill No 1 – Encryption

Configure Data Access – Column Level Encryption

Introduction

What is Column-Level Encryption?

Implementing Column-Level Encryption in SQL Server

Check this out another exercise!