Introduction
Always Encrypted is a feature in Windows SQL Server designed to protect sensitive data both at rest and in flight between a client application server and Azure or SQL Server database(s).
Data protected by Always Encrypted remains in an encrypted state until it has reached the client application server. This effectively mitigates man-in-the-middle attacks and provides assurances against unauthorized activity from rogue DBAs or admins with access to Azure or SQL server databases.
The nShield HSM secures the key used to protect the Column Master Key, stored in an encrypted state on the client application server.
Product configurations
Supported nShield hardware and software versions
Entrust successfully tested with the following nShield hardware and software versions:
Product | Security World Software | Firmware | Netimage | OCS | Softcard | Module |
---|---|---|---|---|---|---|
Connect XC |
13.4.5 |
12.50.11 (FIPS 140-2 certified) & 12.72.1 (FIPS 140-2 certified) |
12.80.5 & 13.4.5 |
✓ |
✓ |
✓ |
nShield 5c |
13.4.5 |
13.2.2 |
13.2.2 |
✓ |
✓ |
✓ |
nSaaS |
12.80.4 |
12.80.5 |
✓ |
✓ |
✓ |
Role separation
The generation of keys and the application of these keys for encryption or decryption are separate processes. The processes can be assigned to users with various access permissions, or Duty Roles. The table below shows the processes and duty roles with reference to the Security Administrator and the database Administrator.
Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. |
Process | Duty Role |
---|---|
Generating the Column Master Key (CMK) and Column Encryption Key (CEK) |
Security Administrator |
Applying the CMK and CEK in the database |
Database Administrator |
Four database permissions are required for Always Encrypted.
Operation | Description |
---|---|
|
Required to generate and delete a column master key |
|
Required to generate and delete a column encryption key |
|
Required to access and read the metadata of the column master keys to manage keys or query encrypted columns |
|
Required to access and read the metadata of the column encryption key to manage keys or query encrypted columns |
Multiple Windows user accounts on a single client server
To enable multiple Windows user accounts on a single oclient server, ask Entrust Support for a Hotfix patch to allow multiple users to use the same always encrypted key.
Multiple client servers
Each client server wanting access to the content of the encrypted data with a given CEK must have:
-
An HSM in the same Security World.
-
A Hotfix patch to allow multiple users to use the same always encrypted key. Ask Entrust Support for this.
-
A copy of the CMK key token stored on its local drive.