I have a basic understanding of the encryption using T-SQL, but is all of this at the T-SQL level? Like can a client have a certificate, be sent the encrypted value (that was encrypted on SQL Server), and using the same cert that is on the server decrypt the data?
Is there a good article/book that covered encryption in detail that you can suggest? Or is this something that you would build in .NET?
If your concern is to protect data in transit, I would strongly recommend you to use SSL to protect the data between your server and the client.
If your goal is to protect data at rest, but in such a way that the protected data cannot be decrypted by the server (i.e. the decryption key is never stored/used in the server hosting SQL Server) you can use .Net to protect the data directly, but all the key management should be on your client application.
Typically, for normal data I don’t recommend using a model where you use public keys to protect data directly on SQL Server, and use the private key on the client to decrypt it (or vice versa).
The main reasons are that your application will still have to do most of the key management (private/public keys), the performance of asymmetric key encryption is orders of magnitude slower than symmetric key encryption and that in SQL Server the limit for encrypting data using an asymmetric key is 1 block (based on the private key modulus, for the self signed certificates SQL Server generates this means you can only encrypt up to ~117 bytes of plaintext).
After saying that, there may be some cases where this mechanism may actually work better for your particular needs. You can find one sample on how to use the .Net framework to encrypt data and decrypt it on SQL Server using asymmetric keys: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=384472&SiteID=1
I hope this information can help you.
-Raul Garcia
SDE/T
SQL Server Engine
|||Actually my question was largely academic in nature, as I was trying to get my head straight on a few topics with SQL Server for a client. I had a few preconcieved notions about how things worked with encryption.
Thanks again (you have helped me before :)!
No comments:
Post a Comment