Introduction

Always Encrypted is a feature in Windows SQL Server designed to protect sensitive data both at rest and in flight between a client application server and Azure or SQL Server database(s).

Data protected by Always Encrypted remains in an encrypted state until it has reached the client application server. This effectively mitigates man-in-the-middle attacks and provides assurances against unauthorized activity from rogue DBAs or admins with access to Azure or SQL server databases.

The nShield HSM secures the key used to protect the Column Master Key, stored in an encrypted state on the client application server.

Product configurations

Entrust successfully tested nShield HSM integration with Windows SQL Server and the Always Encrypted feature in the following configurations:

Remote server

Product Version

SQL Server

Microsoft SQL Server 2022

Base OS

Windows Server 2022 Datacenter

Client

Product Version

SQL Server GUI

Microsoft SQL Server Management Studio V18.8

Base OS

Windows 10 Enterprise

Supported nShield hardware and software versions

Entrust successfully tested with the following nShield hardware and software versions:

Product Security World Software Firmware Netimage OCS Softcard Module

Connect XC

13.4.5

12.50.11 (FIPS 140-2 certified) & 12.72.1 (FIPS 140-2 certified)

12.80.5 & 13.4.5

nShield 5c

13.4.5

13.2.2

13.2.2

nSaaS

12.80.4

12.72.1 (FIPS 140-2 certified)

12.80.5

Role separation

The generation of keys and the application of these keys for encryption or decryption are separate processes. The processes can be assigned to users with various access permissions, or Duty Roles. The table below shows the processes and duty roles with reference to the Security Administrator and the database Administrator.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.
Process Duty Role

Generating the Column Master Key (CMK) and Column Encryption Key (CEK)

Security Administrator

Applying the CMK and CEK in the database

Database Administrator

Four database permissions are required for Always Encrypted.

Operation Description

ALTER ANY COLUMN MASTER KEY

Required to generate and delete a column master key

ALTER ANY COLUMN ENCRYPTION KEY

Required to generate and delete a column encryption key

VIEW ANY COLUMN MASTER KEY

Required to access and read the metadata of the column master keys to manage keys or query encrypted columns

VIEW ANY COLUMN ENCRYPTION KEY

Required to access and read the metadata of the column encryption key to manage keys or query encrypted columns

Multiple Windows user accounts on a single client server

To enable multiple Windows user accounts on a single oclient server, ask Entrust Support for a Hotfix patch to allow multiple users to use the same always encrypted key.

Multiple client servers

Each client server wanting access to the content of the encrypted data with a given CEK must have:

  • An HSM in the same Security World.

  • A Hotfix patch to allow multiple users to use the same always encrypted key. Ask Entrust Support for this.

  • A copy of the CMK key token stored on its local drive.

Always Encrypted and TDE

The same Security World can be used for Always Encrypted and TDE.