We have requirements to encrypt sensitive column data using SQL Server 2016 and selected the Always Encrypted(AE) feature to encrypt those columns using deterministic approach..
Since, the AE deterministic encryption doesn't allow inequality, range, or LIKE queries on these encrypted columns, we have tried of doing encryption for these type of columns using the symmetric key (column level) encryption technique.
Is it a good practice to implement the AE feature on certain columns(which doesn't need any inequality, range, or LIKE queries ) and symmetric key type encryption on columns where inequality, range, or LIKE queries needs to be generated?
Is it a good practice to combine the AE encryption and column level encryption on a single table considering the performance, security and maintenance?
Experts advice please.
Best Answer
I have yet to come across a definitive "Best Practices" list regarding multiple encryption types for SQL Server, but in your situation I would probably recommend the following:
WHERE
clauses.You can also implement #2 with Column Level Encryption as well, but without any constraints in place, I can't see why you'd choose CLE over Always Encrypted in general.
I joke about making encryption the application's problem, but I find that the database often gets saddled with a lot more business logic and wacky functionality than it should be in most cases. If there is an option to push some computation back to the application side, I've found that is generally the best option and helps prevent troubleshooting and general tuning from becoming a nightmare.
Of course you should fully test the alternatives. If you find CLE, or a combo, works best for your particular scenario, so be it.
Additional reading: