Always encrypted Behavior in SQL Server 2016
Asked Answered
S

2

2

I was doing some demo in SQL Server 2016 for topic Always encrypted. Got few doubts. Below are the steps followed:

In Database server (hosted in Microsoft Azure VM):

  1. In table MyTable, Created the Column Encryption Key (CEK) and Master Encryption Key (CMK)
  2. Select * from MyTable, shows encrypted data.(both from App and DB server)
  3. Exported the certificate from Database Server
  4. Imported the certificate in App Server (my Local machine)
  5. Added Column Encryption Setting=Enabled to the connection string of my application.
  6. It is working fine, now it shows the plain text data as expected.

Doubt:

In Database Server (in MS Azure VM), If a SysAdmin login (SQL Authentication) connects to SSMS with additional parameter Column Encryption Setting=Enabled, It is shows plain text data (expecting encrypted data). My understanding is, no one other then application users should see the plain text data). Can anyone please clarify?

Seventh answered 10/2, 2017 at 11:5 Comment(4)
What you say is that a user with permissions to use the certificate , on a machine that does have the appropriate certificates connects to the database with Column Encryption and is able to read the data. That's OK. It doesn't matter if that user connects through code or SSMS. It's still a user doing something that is permittedChurr
Always Encrypted is a data protection mechanism, not a permissions mechanism. It prevents hackers from ever reading the data even if they steal the database files or install Wireshark to capture packets. It's not a mechanism that will prevent the server administrator from reading data to which he does have permission.Churr
If you want to limit administrative access, don't give server administration rights to everyone. Use roles with the minimum required priviledges and only give permissions to keys and certificates to the users and roles that do require such access.Churr
Thank you @Panagiotis Kanavos for your clarification. Can you please explain/share some links on Use roles with the minimum required priviledges and only give permissions to keys and certificates to the users and roles that do require such access.?Seventh
K
3

In step 3 you mention that you export the certificate from the Database Server, to ensure maximum security, never store your certificate on the Database Server. The server does not need to have access to the certificate.

If a SysAdmin login (SQL Authentication) connects to SSMS with additional parameter Column Encryption Setting=Enabled, It is shows plain text data (expecting encrypted data). My understanding is, no one other then application users should see the plain text data). Can anyone please clarify?

If the SysAdmin is connecting to SSMS from a client machine that has the certificate and if the SysAdmin has permission to access the certificate, then they will see the plain text data.

Roughly speaking, Always Encrypted provides the following security guarantee, Plaintext data will only be visible to entities that have access to the ColumnMasterKey (Certificate)


To elaborate, Consider the following scenario.

Consider two machines:

  • MachineA: Machine on which SQL Server is running
  • MachineT: Client Machine.

Consider two users

  • UserA (this can technically be a group of users, but I will be considering a scenario with single user for simplicity): Who is an Administrator on MachineA, managing SQL server and is SysAdmin on SQL server. However, userA does not have any kind of access to MachineT and UserA should not be able to decrypt any encrypted data stored in SQL Server on Machine A (Encrypted data, in the context of this answer is data that is encrypted using Always Encrypted feature of SQL Server).

  • UserT (this can technically be a group of users, but I will be considering a scenario with single user for simplicity): Is a trusted user, has access to MachineT, has access to all data in database db which is hosted in SQL Server on MachineA. Also, since userT is trusted, he/she should be able to decrypt the encrypted data.

Consider SQL Server running on MachineA has database db and table t.

Our goal is to secure a column belonging to table t, say ssnCol, such that only userT should be able to see the ssnCol in plaintext.

The goal described above can be achieved using the following steps.

  • UserT logs into MachineT.
  • UserT opens SSMS in MachineT.
  • UserT connects to SQL Server on MachineA
  • UserT encrypts ssnCol in table t using the steps mentioned in the Encrypt columns (configure Always Encrypted) section of this article
  • After this step, the column ssnCol would be encrypted.

When userT encrypts ssnCol in the manner described above, two keys are generated

  • CMK: CMK aka column master key is the key that is used to encrypt CEK/s. This key is stored in the windows certificate store of MachineT.
  • CEK: CEK aka column encryption key is the key that is used to encrypt ssnCol, this key is stored in encrypted form in SQL Server on MachineA and is not persisted anywhere in plaintext.

Hence, In order to decrypt ssnCol, CEK is required, however, in order to decrypt CEK, CMK is required.

Since CMK is in the Windows certificate store of machineT, only userT can access the CMK, decrypt the CEK and decrypt ssnCol.

userA is an administrator on machineA and also a SysAdmin on SQL Server, but, since he/she does not have access to the CMK, userA can not access ssnCol in plaintext. You can verify this by, using SSMS from MachineA, logging in as userA and querying ssnCol

If you have additional questions please put them in the comments section and I can answer them.

Kelleykelli answered 14/2, 2017 at 19:58 Comment(6)
It was helpful, Thanks! I am not storing any certificate in DB server. It was created while the keys were created. Followed databasejournal.com/features/mssql/….Seventh
@p2k to better assist you could you please answer the following questions. 1) What machine did you use to create the CMK and CEK mentioned in your step 1. 2) I am assuming that you have a two machine setup, machine A: SQL server housing you database and machine B: is your local machine a.k.a your app server is that correct? 3) which machine are you using to log in as SysAdmin?Kelleykelli
Superb explanation. No one covers this information on any online articles I read as of now. + 1Phytohormone
@Phytohormone Thank you, I appreciate it!Kelleykelli
Thanks Nikhil, that's really cleared things up for me. One follow up question - As is fairly common in Enterprise scenarios, there are members of the Server team (let's call them UserS) who have admin access over MachineA and MachineT for patching, maintenance, security requests etc... Where could I store the CMK where UserS would not be able to use it?Dermatoplasty
Nick, If a user has admin access to a machine, they will have access to all certificates stored on that machine. In this case you might want to consider a cloud key store based solution (Currently only Azure Key Vault is supported), but even in that case an admin can sniff key from the memory. Always Encrypted operates on the premise that client machine and their admins are trusted.Kelleykelli
T
2

One additional and very important consideration:

The primary goals of Always Encrypted is to protect your data from malware running on the machine hosting SQL Server and from malicious high privilege users on the machine hosting SQL Server (DBAs, sys admins). If these are the attack vectors you want to address in you application, you should never provision keys for Always Encrypted on a machine hosting a SQL Server instance that contains a database with columns you want to protect. If you run a key provisioning tool, e.g. SSMS or PowerShell, on a machine hosting your instance, and the machine is compromised, an attacker can steal your keys, e.g. by scraping SSMS memory. And, of course, if you generate a certificate and put in the certificate store on the server machine, it is even easier for an attacker to get it.

Please, refer to https://msdn.microsoft.com/en-us/library/mt708953.aspx#SecurityForKeyManagement for more details and useful guidelines.

Turpin answered 23/2, 2017 at 18:32 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.