Configure data access and auditing || a - ii

-

Qsn) what is always encrypted?
Ans :

Always Encrypted (AE) is a new feature in SQL Server 2016 that allows you encrypt both data at rest and data in flight.

most important capability is its ability to secure the data with your database outside of the database engine in the client application.

AE was designed so that encryption and decryption of the data happens
transparently at the driver level, which minimizes the changes that have to be made to existing applications.

At a high level the AE architecture works as below :

The client application issues a parameterized query. It uses the new Column Encryption Setting=Enabled; option in the connection string.

The enhanced ADO.NET driver interrogates the database engine using the
[sp_describe_parameter_encryption] system stored procedure to determine which parameters target encrypted columns. For each parameter that will require encrypting the driver retrieves the encryption algorithm and other information that will be used during the encryption phase.

The driver uses the Column Master Key (CMK) to encrypt the parameter values before sending the ciphertext to the database engine.

The database engine retrieves the result set, attaching the appropriate encryption metadata to any encrypted columns, and sends it back to the client application. The data is encrypted both at rest within the database and in flight from the database engine to the client application.

The client application’s driver decrypts any encrypted columns in the result set and returns the plaintext values to the application.

Qsn) AE supports the Which types of encryption?
Ans :

   1) Deterministic
    2) Randomized

Deterministic

   Deterministic encryption uses a method that always generates the same ciphertext for any given plaintext value.

   It allows for the transparent retrieval of data through equality comparisons. Point lookups, equality joins, grouping and indexing are all supported through deterministic encryption.

   With deterministic encryption a BINARY2 collation, such as Latin1_General_BIN2, must be used for character columns.

   Users might be able to guess encrypted columns values for columns with a small domain of values, such as an example of the[Gender] or [State] fields.


Randomized

   With randomized encryption, different ciphertext will be generated for the same plaintext.

   This makes randomized encryption much more secure than deterministic encryption.

   Effectively no search/comparison operations are allowed. Use randomized encryption for columns that you want to retrieve.

Comments

Post a Comment

Popular posts from this blog

What is DACPAC and how to use it?

-
Image
Few days before someone asked me a question about DACPAC and BACPAC. To be honest I was really not aware of it and I replied that I have heard these terms for the first time. That person replied DACPAC is used for deploying and upgrading database objects. Even after the clear statement, my reply was like developers would answer this better. Even though DBAs are responsible for migration and deployments. After few days, I got a requirement to migrate database schema (Only Schema) to another instance. In such a case most of us would have used the traditional way to script out the database objects and run the script on another instance. But what if there are many objects? I was exploring the easiest way to migrate the objects and got to know about DAC. After reading about DAC, I felt very sorry myself that I was not aware of such a simplest way of migrating and deploying database objects. I went to my friends who are senior developers and asked this question. None of them was aware ...
Read more

Backdoor in SQL server. Is this hacking, loop hole or Feature ?

-
Image
DBAs should always be ready to face any kind of disaster in SQL environment. That doesn't matter whether it is PROD or Non- PROD.  Recently I have been asked regarding recovering the sysadmin password. I couldn't understand the question hence investigated more to understand actual problem. Then I came to know that there is one SQL Server for which admin login and password is lost. I was Like seriously ? How one can be that much of irresponsible? But rather than getting into that kind of discussion I quickly got ready to help the team.  In SQL Server there is a way to access SQL Instance without login. Lets check that out. Steps : 1) Open SQL Server Configuration  Manager. 2) Right click on SQL Server service and go to Properties. 3) Go to "Startup Parameters" Tab and Add -m.   This will Start the server in Single user mode.  4) Click Apply and Ok. This change would require Service restart.  5) Once Service is restarted then, open CMD as Administrator. ...
Read more

Always on setup end to end - Part 1 || Pre-requisites

-
Image
Hello readers,  Welcome to the new blog after a long time. In this blog I would like to discuss complete end to end always on setup guide for beginners. I will be posting couple of blogs regarding always on in SQL server. I believe that would be helpful to understand Always on in SQL server in easy way. Always on setup involved multiple steps. Hence one may find it difficult. However, if you could plan it well then you may find that always on is much easier to configure and handle. So, without wasting the time lets proceed further. Firstly, we will see what is Always on in SQL Server ? Always on is the high availability and disaster recovery solution introduced in SQL server 2012. As the name suggest, Always on means availability of database all the time even in case of disaster. We can say it is the alternative of mirroring. Only thing is windows failover cluster service also required to be configured as a pre-requisite for always on. In this blog, we will only d...
Read more