SQL Server Always Encrypted w/ Secure Enclave - Key Management Strategy - sql-server

I am looking into ways to build a data warehouse that would house confidential data for 1+ clients. The requirement is that our organization can never obtain access to the decrypted data. There would be a web application clients utilize to write data and query data (basic select statements including ranges).
I've been learning about SQL Server Always Encrypted w/ Secure Enclaves (and Azure SQL Always Encrypted w/ Secure Enclaves) and am wondering about key management strategies.
Based on what I've read here: https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver16 and even here https://aws.amazon.com/blogs/modernizing-with-aws/sql-server-always-encrypted-with-secure-enclaves/ , it seems like at the end of the day, someone in an organization utilizing this, is going to maintain access of the actual keys that could be used to decrypt the data.
Microsoft suggests role separation such that a DBA may have access to the database, but not access to the keys used for encryption and a Security Admin has access to the keys but not the actual database.
But, hypothetically, if the DBA and Security Admin wanted to be malicious together, they could technically obtain access to the data together. Are there strategies that can be employed to help mitigate this potential risk?
I'm wondering if the key management could be placed onto the client(s) instead of one of our own Security Admins - that way, technically, it would be completely impossible for our organization to ever have access to the data in a decrypted form. This would mean that for each client, there would be a column master key that they would store/manage and pass to us (encrypted). We'd use this to programmatically retrieve the column encryption key(s) relevant to their querying.
I've never worked around architectures involving confidential computing and am curious if the direction I am headed seems reasonable and/or if folks have any thoughts, advice, or could point me to any documentation involving key management strategies where clients house their own keys to access their data hosted by some other service.

Related

.Net Core IDataProtector vs. Always Encrypted for sensitive db columns?

I am going to store sensitive data like SSN and bank account numbers in my SQL Server database. The database is located on a server separate from where the application code is run, and I have Security Groups set up to only allow inbound access to the db server from my app server IP. I have already implemented the IDataProtector API and am using it to store encrypted passwords in my db, so I was going to use this to store the SSN and bank info as well.
But I read about Always Encrypted today, which is a SQL Server-based method you can use to encrypt specific columns. From the Microsoft page: "Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine (SQL Database or SQL Server). As a result, Always Encrypted provides a separation between those who own the data and can view it, and those who manage the data but should have no access."
If I'm mostly concerned with hackers getting into my db and stealing data, which one of these methods is more secure? The master key for Always Encrypted would be stored in the Windows Certificate Store on the app server. I honestly don't know where the keys for IDataProtection are stored since it's been awhile since I set it up. I don't have anything explicit in Startup in services.AddDataProtection().
After much research, I think I'll go with Data Protector for now. The main decision point was that I don't want to use Azure Key Vault for centralized key storage, and Always Encrypted does not offer many alternatives.
I found that I can't use Windows Certificate Store for the column master keys because my EC2 instances are on a load balancer/auto-scaler, and so the Windows environment could be rebuilt at any time and lose the keys.

How can I manage Always Encrypted technique and TDE together and mitigate risks of this?

In our electronic criminal law, customer-sensitive data must be encrypted at rest and all admins working on servers and DBs must not be able to access this information clearly.
Microsoft provides three methods to encrypt sensitive information.
1- TDE[Transperant Data Encryption].
2- Always Encryption.
3- Always encrypted Enclave. not supported in our platform.
TDE by documentation it encrypts data at rest [the files [mdf,ldf,bak] are encrypted].
but once you accessed the instance you can see all data in cleartext.
Always encrypted can encrypt data inside instance to prevent authorized users from accessing data in clear text unless the have different certificates. which could be deployed in the IIS server or development server. specifically in the window's store of the azure vault.
anyhow, by mixing both methods together so that data is encrypted at rest and encrypted to everyone cannot access the master certificate.
In a given structure that is managed by many teams:
1- DBA
2- DB backup
3- Domain Admin
4- local admin
Also in two tires system, that uses different two servers, one for IIS and the other for MSSL server.
By applying the up-mentioned mixeture, the admins of both machines can access the split password of always encrypted and then access the information.
My question:
How available it be, to prevent those admins from accessing info?

If a database is totally encrypted how can a query work?

We use SQL Server, soon to be upgraded to the latest version of SQL Server, which I believe is SQL Server 2017. I'd like to be able to move some of our databases to the cloud, at least for development. Our company has instituted a lot of security protocols, and some (important) people in the company are uncomfortable with PII information or corporate information being on the cloud. Not that I blame them. I've read that SQL Server databases can be encrypted, and have read some of the documentation. This may be the solution to me being able to put some of our data in the cloud.
I can't get my head around how one could write a query against an encrypted database, without that database being at least temporarily decrypted. Would the fields referenced in queries or views be converted to encrypted values for the query to run? Or, is there some other way this is handled. I saw some stats on the overhead of TDS, and while it's not pretty, it may be doable. Could anyone explain in not quite layman's terms how this encryption is handled?
When you are doing a search against encrypted data, you would have to encrypt your search query in with the same algorithm the data was encrypted against. This eliminates the possibility for LIKE searches and for you to be able to show the data back in plain text however.
I can't get my head around how one could write a query against an encrypted database
There is difference if you encrypt the database or data.
Often the database itself can encrypt the database (such as MSSQL), or the hosting infrastructure can encrypt the data storage. In that case - the data themselves are stored encrypted, but the encryption is transparent to the authenticated clients (authenticated client will query the data as before, nothing changes). The key is managed by the infrastructure or database.
Another option is storing the data already encrypted by the client, e.g. encrypting only PII by the client app.
Storing all data already encrypted would make either data not searchable or you will need to use deterministic (semantically non-secure) encryption. This is what previous answer suggested. For this there's even a nice tool CryptDB which act as an encryption proxxy over database queries.

SQL Server 2016 - Always Encrypted

do i have to secure the column master encryption key at client side, so that nobody can read it?
Is it correct that when somebody has the column and master encryption key data can be decrypted by an attacker?
Regards
do i have to secure ... so that nobody can read it
This statement can never be true. If the application needs to read a secret (the key), then so can an administrator on the site. If you have an application running at a client side, there is nothing you can do to prevent a determined client from finding the key. Ditto for an attacker that has compromised the location.
Always Encrypted scenario is for applications that do not trust their service hosting (think Azure SQL Database). The application has the key and can manipulate the data, and the data travels to the hosting service and is stored encrypted. The hosting service cannot decrypt your data. All this is the starting paragraph describing the feature:
Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national identification numbers (e.g. U.S. social security numbers), stored in Azure SQL Database or SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine ( SQL Database or SQL Server). As a result, Always Encrypted provides a separation between those who own the data (and can view it) and those who manage the data (but should have no access). By ensuring on-premises database administrators, cloud database operators, or other high-privileged, but unauthorized users, cannot access the encrypted data, Always Encrypted enables customers to confidently store sensitive data outside of their direct control. This allows organizations to encrypt data at rest and in use for storage in Azure, to enable delegation of on-premises database administration to third parties, or to reduce security clearance requirements for their own DBA staff.
Your understanding is correct, roughly speaking, Always Encrypted provides the following security guarantee, Plaintext data will only be visible to entities that have access to the ColumnMasterKey (Certificate). So you would have to ensure that your CMK is only accessible by trusted entities. Also, the best practice is to have the client application and database on separate machines.
I have provided a short detailed explanation regarding the security guarantee provided by Always Encrypted here. You might find this useful. If you have additional questions, please leave a comment and I will try by best to help

Can I use Truecrypt to protect an SQL 2008 database so that only my application can see the data?

I want to distribute an SQL 2008 database to a client and set it up so that the only way to access the data in it is through my application. Can I use Truecrypt for that? Can you think of any other solution?
No, is not possible. This is asked repeatedly and the answer is the same: protecting the data so that is only usable from one application is DRM and SQL Server does not do DRM. There is no cryptographic/encryption or authorization/permission mechanism you can set in place to prevent a legitimate administrator from seeing and using the data as it sees fit, including granting other applications permission to use your application data.
At worst you can encrypt all the data in the client and store only the encrypted blobs, thus rendering it unusable to any other application. This approach looses any advantage a relational database offers (data cannot be searched, queried, indexed, foreign relations and constraints cannot be enforced etc) rendering the SQL Server absolutely useless for your application. Besides, even in this case, short of using a hardware module, the data is not trully protected since the application cannot embed any encryption key in a secret fashion (any key embeded in the app, no matter how obfuscated it is, can be retrieved, always) and relying on the user to provide a secret password means the user can simply decrypt the data.
If you want to use a DRM scheme (which you are actually asking for), use a DRM product.
I've taken a quick look at Truecrypt and it doesn't look like the tool for what you're trying to do.
You should look at SQL Server Logins, Users and Roles. How you use these will depend on how you setup your database connection. If you can provide more information about how you are connecting I can try and help further.

Resources