Best patterns for encrypting database columns/tables in SQL Azure

azure-sql-databaseencryption

Azure SQL doesn't support many of the encryption features found in SQL Server (Table and Column encryption). What is the best practice for doing application level encryption into a database that doesn't support encryption? Also need

Key rotations
metadata mapping of which tables and which columns are encrypted. This is simple when it's just couple of columns (send an email to all devs/document) but that quickly gets out of hand

If someone would like to recommend a library, I'd be happy to stay away from "DIY" too.

Best Answer

I think that your problem can be solved with the MS framework called "Trust Services". Buck Woody explains in this article how you can use it to solve problems of encrypted data with SQL Azure. From his article, a short description about how to use Trust Services:

"With the new Trust Services service, the basic process is that you use a Portal to create a Trust Server using policies and other controls. You place a X.509 Certificate you create or procure in that server. Using the Software development Kit (SDK), the developer has access to an Application Layer Encryption Framework to set fields of data they want to encrypt. From there, the data can be stored in SQL Azure as a standard field – only it is encrypted before it ever arrives."

Further reference:

Related Solutions

Implementing an encrypted table in SQL Azure

Short answer: as of April 20, 2012 column encryption is not supported in SQL Azure, see: http://msdn.microsoft.com/en-us/library/windowsazure/ee336253.aspx and search for ENCRYPT. You will see that all of the encryption functions are listed as unsupported.

If you need to encrypt your data at rest and have to support SQL Azure then you are going to have to do your encryption at the application level. This is more difficult to get right as lots of the good encryption practices (using nonces as initialization vectors for each cell, key management for tracking which keys encrypt which columns, integrity verification, layered protection of encryption keys with role based permissions) you will have to implement yourself. I strongly recommend getting a security professional to work with you on the encryption as it is challenging to get right and if you miss something then you have a false sense of security that could really burn you later.

You could look at http://securentity.codeplex.com, which claims to be a solution for managing encrypted data and supports SQL Azure. I have not personally used it, nor can I vouch for it's correctness, but it is a potential option.

Other information:

In SQL Server column level encryption is easy and very secure (even with a view) because you can use roles to manage who can access the encryption keys. Even if a user can select from a view, if they are not granted access to the key that encrypts the underlying data then they will get back NULLs for those encrypted columns. I have a set of sample code for SQL Server 2005 and higher that demonstrates the encryption capabilities of SQL Server here: http://sqlcrypto.codeplex.com

Sql-server – Creating SQL Azure login for single database

Connect to master database and do the following:

CREATE LOGIN YourNewUser WITH PASSWORD = '&lt;strong password here&gt;';

Connect directly to database that the new user should own:

CREATE USER YourNewUser FOR LOGIN YourNewUser;

EXEC sp_addrolemember 'db_owner', 'YourNewUser';

Best Answer

Related Solutions

Implementing an encrypted table in SQL Azure

Sql-server – Creating SQL Azure login for single database

Related Question