Configure data access and auditing || a - i (Part -1)

-

Qsn) Explain encryption hierarchy and key management architecture.

Ans:

Layers of encryption are protected by preceding layers of encryption that can use asymmetric keys, certificates, and symmetric keys.

Extensible Key Management :
  • SQL Server EKM enables the encryption keys that protect the database files to be stored outside of the SQL Server environment such as a smartcard, a USB device, and the EKM module of Hardware Security Module (HSM).

Service Master Key :
  • SMK is generated automatically the first time it is needed to encrypt another key.
  •  The SMK can only be opened by the Windows service account that created it, or by a principal that knows the service account name and its password.

Database Master Key :
  • The Database Master Key (DMK) is a symmetric key used to protect the private keys of certificates and asymmetric keys that are present in the database

Asymmetric Key :
  • An asymmetric key consists of a private and corresponding public key.

Symmetric Key :
  • A symmetric key is a single key that uses encryption. 

Certificate :
  • Certificates are a digitally signed security object that contain a public (and optionally a private) key for SQL Server, which can generate certificates.
  •  You can also use externally generated certificates. and just like with asymmetric keys, certificates can be used in asymmetric encryption.

* Keep in mind the following concepts

  • For best performance, encrypt data using symmetric keys instead of certificates or asymmetric keys. 
  • Database master keys are protected by the Service Master Key. The Service Master Key is created by SQL Server setup and is encrypted with the Windows Data Protection API (DPAPI). 
  • Other encryption hierarchies stacking additional layers are possible. 
  • An Extensible Key Management (EKM) module holds symmetric or asymmetric keys outside of SQL Server. 
  • Transparent Data Encryption (TDE) must use a symmetric key called the database encryption key which is protected by either a certificate protected by the database master key of the master database, or by an asymmetric key stored in an EKM. 
  • The Service Master Key and all Database Master Keys are symmetric keys. 
  • Symmetric and asymmetric keys in the EKM can protect access to the symmetric and asymmetric keys stored in SQL Server. The dotted line associated with EKM indicates that keys in the EKM could replace the symmetric and asymmetric keys stored in SQL Server.


Qsn) What is Column Level Encryption?
Ans:

  • The ability to encrypt data at the column level is a critical capability in any modern database engine 
  • Column level Encryption has been introduced since, SQL Server 2005
Qsn) How you will implement column level Encryption ?
Ans:

Column level Encryption can be implemented using Symmetric Key or using Certificate

Permission Required:

  • CONTROL permission on the database.
  • CREATE CERTIFICATE permission on the database. Only Windows logins, SQL Server logins, and application roles can own certificates. Groups and roles cannot own certificates.
  • ALTER permission on the table.
  • permission on the key and must not have been denied VIEW DEFINITION permission.


Example of Column level Encryption using symmetric key


Use [trans_DB]
GO

-- Create sample table

CREATE TABLE Employees (
EmployeeID INT PRIMARY KEY,
EmployeeName VARCHAR(300),
Position VARCHAR(100),
Salary VARBINARY(128)
);
GO

-- Create SMK

CREATE SYMMETRIC KEY SMK_Emp
WITH ALGORITHM = AES_256 ENCRYPTION BY PASSWORD = 'Pass123$';
GO

-- Open SMK

OPEN SYMMETRIC KEY SMK_Emp DECRYPTION BY PASSWORD = 'Pass123$';

-- Verify open keys

SELECT * FROM sys.openkeys;

-- Insert data

INSERT Employees VALUES (1, 'Marcus', 'CTO',ENCRYPTBYKEY(KEY_GUID('SMK_Emp'), '$100000'));

INSERT Employees VALUES (2, 'Christopher', 'CIO',
ENCRYPTBYKEY(KEY_GUID('SMK_Emp'),'$200000'));

INSERT Employees VALUES (3, 'Isabelle', 'CEO',ENCRYPTBYKEY(KEY_GUID('SMK_Emp'),
'$300000'));

-- Query table with encrypted values

SELECT * FROM Employees; 

 Output:




-- Query table with decrypted values

SELECT *, CONVERT(VARCHAR, DECRYPTBYKEY(Salary)) AS DecryptedSalary
FROM Employees;

 Output :






-- Close SMK

CLOSE SYMMETRIC KEY SMK_Emp

-- Query table with decrypted values after key SMK is closed

SELECT *, CONVERT(VARCHAR, DECRYPTBYKEY(Salary)) AS DecryptedSalary
FROM Employees;
GO

 Output:








-- Clever CTO updates their salary to match CEO's salary

UPDATE Employees
SET Salary = (SELECT Salary FROM Employees WHERE Position = 'CEO')
WHERE EmployeeName = 'Marcus';

-- Open SMK and query table with decrypted values

OPEN SYMMETRIC KEY SMK_Emp DECRYPTION BY PASSWORD = 'Pass123$';
SELECT *, CONVERT(VARCHAR, DECRYPTBYKEY(Salary)) AS DecryptedSalary
FROM Employees;

 Output:





A major disadvantage of encrypting data using a symmetric key protected by a password is that the password needs to be embedded somewhere, which represents a security risk.


Ref : https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/encryption-hierarchy?view=sql-server-ver15

https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/encrypt-a-column-of-data?view=sql-server-ver15









Comments

Post a Comment

Popular posts from this blog

What is DACPAC and how to use it?

-
Image
Few days before someone asked me a question about DACPAC and BACPAC. To be honest I was really not aware of it and I replied that I have heard these terms for the first time. That person replied DACPAC is used for deploying and upgrading database objects. Even after the clear statement, my reply was like developers would answer this better. Even though DBAs are responsible for migration and deployments. After few days, I got a requirement to migrate database schema (Only Schema) to another instance. In such a case most of us would have used the traditional way to script out the database objects and run the script on another instance. But what if there are many objects? I was exploring the easiest way to migrate the objects and got to know about DAC. After reading about DAC, I felt very sorry myself that I was not aware of such a simplest way of migrating and deploying database objects. I went to my friends who are senior developers and asked this question. None of them was aware ...
Read more

What’s the difference between a hotfix, cumulative update, Service Pack, and Feature Pack?

-
Hotfixes: A hotfix is created to address a specific issue, problem, or customer scenario. A hotfix can address either a single issue or a cumulative set of issues. Hotfixes are distributed only to those customers, partners, and organizations that Microsoft technical support personnel determine can benefit from the changes that are made to the code. Each hotfix includes documentation that indicates what files, tables, code, or functions are changed by the hotfix. Cumulative updates: A cumulative update (CU) is an update that contains all previous hotfixes to date. Additionally, a CU contains fixes for issues that meet the criteria for hotfix acceptance. These criteria may include the availability of a workaround, the effect on the customer, the reproducibility of the problem, and the complexity of the code that must be changed.           Note: Any hotfixes that you previously applied are not included i...
Read more

Always on setup end to end - Part 1 || Pre-requisites

-
Image
Hello readers,  Welcome to the new blog after a long time. In this blog I would like to discuss complete end to end always on setup guide for beginners. I will be posting couple of blogs regarding always on in SQL server. I believe that would be helpful to understand Always on in SQL server in easy way. Always on setup involved multiple steps. Hence one may find it difficult. However, if you could plan it well then you may find that always on is much easier to configure and handle. So, without wasting the time lets proceed further. Firstly, we will see what is Always on in SQL Server ? Always on is the high availability and disaster recovery solution introduced in SQL server 2012. As the name suggest, Always on means availability of database all the time even in case of disaster. We can say it is the alternative of mirroring. Only thing is windows failover cluster service also required to be configured as a pre-requisite for always on. In this blog, we will only d...
Read more