Sql-server – AlwaysEncrypted error when inserting via stored proc

always-encryptedsimple-parameterizationsql serverstored-procedures

lets start with the error first:

Encryption scheme mismatch for columns/variables . The encryption scheme for the columns/variables is (encryption_type = 'PLAINTEXT') and the expression near line '3' expects it to be (encryption_type = 'DETERMINISTIC', encryption_algorithm_name = 'AEAD_AES_256_CBC_HMAC_SHA_256', column_encryption_key_name = 'CEK_P_H', column_encryption_key_database_name = 'Payments_Hub') (or weaker)

I'm trying to insert into a column with AlwaysEncrypt encryption on using a stored procedure:

The column 'PARAMETER_VALUE' is the encrypted column

CREATE PROCEDURE dbo.SP_UI_Parameter    
(
@ID int OUTPUT,
@OPERATION_ID int,
@PARAMETER_NAME varchar(100),
@PARAMETER_METRIC varchar(100),
@PARAMETER_VALUE varchar(100) 
)
AS
BEGIN

IF @ID IS NULL
BEGIN

INSERT INTO [dbo].[TOKEN_PARAMETER] (OPERATION_ID,
PARAMETER_NAME, PARAMETER_METRIC, PARAMETER_VALUE)

SELECT @OPERATION_ID, @PARAMETER_NAME, @PARAMETER_NAME, @PARAMETER_VALUE

SET @ID = SCOPE_IDENTITY()

END
ELSE
BEGIN

UPDATE [dbo].[TOKEN_PARAMETER] SET
OPERATION_ID = @OPERATION_ID,
PARAMETER_NAME = @PARAMETER_NAME,
PARAMETER_METRIC = @PARAMETER_METRIC,
PARAMETER_VALUE = @PARAMETER_VALUE

END

END
GO

Why am I getting the error for the query ?

Is there something I must include within the STORED PROCEDURE ?

I have included "Column Encryption Setting=Enabled " in my connection settings
I have also enabled Parameteterization for AlwaysEncrypted
The key is stored on the local machine
I have created DETERMINISTIC encryption
SQL Server 2016 database Engine using SSMS 17 – can this be an issue ?

SQL Server Version Info: (EDITED)

Microsoft SQL Server 2016 (SP1-CU7-GDR) (KB4057119) – 13.0.4466.4 (X64) Dec 22 2017 11:25:00 Copyright (c) Microsoft Corporation Enterprise Edition: Core-based Licensing (64-bit) on Windows Server 2016 Datacenter 10.0 (Build 14393: ) (Hypervisor)

SSMS Stored Procedure Call: (EDITED)

DECLARE @return_value int,
@ID int

EXEC    @return_value = [dbo].[SP_Insert_Parameter2]
 @ID = @ID OUTPUT,
 @OPERATION_ID = 3,
 @PARAMETER_NAME = N'algorithm',
 @PARAMETER_METRIC = N'algorithm',
 @PARAMETER_VALUE = N'99999'

 SELECT @ID as N'@ID'

 SELECT 'Return Value' = @return_value

 GO

Thanks In Advance

Best Answer

So I figured out what I was doing wrong AlwaysEncrypted requires the variables to be defined in line:

DECLARE @OPERATION_ID int = 4
DECLARE @PARAMETER_NAME varchar(100) = 'algorithm'
DECLARE @PARAMETER_METRIC varchar(100) = 'algorithm'
DECLARE @PARAMETER_VALUE varchar(100) = 'TestValue3'

INSERT INTO [dbo].[TOKEN_PARAMETER] (OPERATION_ID, PARAMETER_NAME,
PARAMETER_METRIC, PARAMETER_VALUE)
SELECT @OPERATION_ID,
       @PARAMETER_NAME,
       @PARAMETER_METRIC,
       @PARAMETER_VALUE

This allows for successful insert into the table. When using a stored procedure you cannot use the same method to insert.

So in essence, there is nothing wrong with how to stored procedure works. The application needs to change the way it populates the columns, using the same stored procedure

Please see below link for reference:

https://social.technet.microsoft.com/wiki/contents/articles/37979.working-with-the-always-encrypted-feature-in-sql-server-2016.aspx#Add_Data_to_Always_Encrypted_Column

Still waiting on applications team to come back with results but i'll mark the question as solved if this fixed the issue

Related Solutions

Sql-server – How to separate Stored Procedures (i.e. all the business logic) from Client Database so that it only contains client data

I do not think that your requirements are complete as there are reasons that your prior attempts did not work that are not reflected in the stated Requirements. You mentioned in attempted solution #1 that you need to be able to debug the code / know what version it is, and the client needs to be able to replicate the code. Are these two issues current requirements?

If the need for replication is still a requirement, then that conflicts with the requirement to be "compiled (secured)".

I will assume that the client's server is something they have full sa access to such that DENYing the VIEW ANY DEFINITION permission is not a viable approach.

One thing to try is taking the T-SQL of your Stored Procedures and encapsulating each one, unchanged, into CLR Stored Procedures. You would place one or more related Stored Procedures into an Assembly. Here are some thoughts about this:

Assemblies conveniently have a version number that can be seen in the sys.assemblies catalog view, SSMS (right-click on the Assembly to view the Properties), and the ASSEMBLYPROPERTY function.
You probably don't want to put all of the Stored Procedures into a single Assembly, but you also don't want to have one Assembly per Stored Procedure. You can have one class file per Stored Procedure and several of those included in a single Assembly.
All of the Assemblies should use WITH PERMISSION_SET = SAFE
The only code in each CLR Stored Procedure would be:
- Create a SqlCommand with a CommandType of CommandType.Text and CommandText set to the current T-SQL Stored Procedure content
- No SqlConnection should be needed (if it is, then it is just "context connection=true")
- Map the SqlParameterCollection of the SqlCommand to the input parameters of the CLR Stored Procedure
- Call SqlContext.Pipe.ExecuteAndSend(_YourSqlCommand);
The Assembly and related Stored Procedures would be loaded into each Client DB
CLR Stored Procedures are not able to be replicated, but that could probably be worked around

Sql-server – How to pass multi-valued characters in SSRS Report

I found a solution. I did not properly split the values in the stored procedure with a UDF.

To pass multi-values correctly in this stored procedure, I would need to add the following code to the dataset parameter that I am using:

=join(Parameters!<your param name>.Value,",")

This is basically going to join multiple values into an array and pass it through the @Flag parameter. The next step is adding SQL to the stored procedure to receive and digest the values correctly so it reads the values with the IN clause.

Google search any UDF string parser online. There are many to choose from. I used dba_parseString_udf from Michelle Ufford http://sqlfool.com.

Once I had my UDF installed, I can now alter my IN clause to receive the new multi-valued parameter being passed by SSRS as follows:

WHERE [Flag] IN (SELECT * FROM dba_parseString_udf(@Flag, ','))

Therefore, SSRS will pass the following value:

@Flag = 'A,B,C'

Then my UDF will parse that string out correctly to:

A
B
C

And populate my @Flag parameter correctly with SELECT * FROM UDF()...

Best Answer

Related Solutions

Sql-server – How to separate Stored Procedures (i.e. all the business logic) from Client Database so that it only contains client data

Sql-server – How to pass multi-valued characters in SSRS Report

Related Question