Here's my requirement:
A database where at least 1 column on at least 1 table is sensitive, and should be encrypted
DBAs and people accessing the database with SSMS should not be able to view the plaintext values of the columns
There will be a client asp.net application that will be able to retrieve and decrypt the data, and insert and update to the table(s)
So, if I enable always encrypted on the necessary columns, any normal query will retrieve the ciphertext for those columns. Fine.
The client application will have Column Encryption Setting=Enabled on the connection string, so will have the ability to encrypt and decrypt data.
But what's to stop someone connecting with SSMS and enabling the same column encryption setting? They could then select from the table and see the plaintext.
In short, how do I apply permissions so that only people in a specific AD group, and excluding DBAs, has permissions to access the encryption keys to decrypt the data?
Is it as simple as making sure that the IIS that the .net application is on is not on the same server, and creating the column master key certificate only on that IIS machine?
There are two keys that are created Column Master Key (CMK) and Column Encryption Key (CEK).
The column master key is only stored on the application side, while the column encryption key will be stored on SQL Server side.
The result is that once the client has the CMK, you can activate encryption by changing the connection string and the driver will then look for this CMK. Without it the data cannot be decrypted.
Related
My task is simple - to share cookies among servers in a farm
I know that old way using machine key doesn't work in asp.net core, but there is a DataProtection API
However, I cannot store keys in shared folder (it's default built-in behavior of DataProtection)
Is there any way to store key exchange data in configs? (like in old asp.net)
you can store the keys in a file system folder, but there are of course security concerns in doing so, however the concerns are similar as with storing a key in web.config.
The thing that is different is that there is not just one key like with machine key, the keys in data protection api expire after a given period and new keys are created when needed automatically. If you encrypt something with the data protection api and store it persisted in the database for example, you may need to decrypt it later using the expired keys
This example is storing the keys in a folder named dp_keys within the web app main folder.
string pathToCryptoKeys = Path.Combine(environment.ContentRootPath, "dp_keys");
services.AddDataProtection()
.PersistKeysToFileSystem(new System.IO.DirectoryInfo(pathToCryptoKeys));
Note that storing the keys in the file system is not the recommended approach. There is a powershell script in the docs that enables storing keys per application pool in the system registry. For Azure there is the Azure Key vault for storing the data protection keys.
We have a legacy application that is storing the user's passwords down in the database unencrypted. We've had a fair few customers come onboard now which encrypting this password is a big deal to them (fair enough). Currently it's just a Nvarchar(100) field inside an SQL Server database table.
The situation is that we have multiple client applications accessing this database and validating against this password.
Just wanting to get advice on how we can achieve encryption on this field in the database without having to rewrite all the client applications that read off of it? It's not out of the question to change the client applications but we're trying to get away with this with as little fuss as possible.
Any ideas?
Do not do that, store salted, iterated HMACs of the passwords. Use something like Bcrypt, password_hash, PBKDF2 or similar.
If the HMAC is not salted and iterated it is not sufficient. Simply hashing without salting leaves the hashed passwords open to rainbow table attacks.
Convert the existing passwords now.
Let's say I have sensitive data in the database server that needs to be encrypted (i.e emails, etc..) and I want to make sure that in the event that the server is compromised, the attacker shouldn't be able to decrypt these data (at the very least make it harder).
I've read some solutions online, and it seems like I can either
Use Hardware Security Modules (i.e. Amazon KMS/Vault) to having a separate server handle encryption/decryption.
Use Public Key Encryption (where the public key in database server encrypts data, and a private key is stored in separate server that solely handles decryption)
What are the tradeoffs of each other and which one would you choose?
We have a web application that contains sensitive data. Currently we are using sql server 2008 and using DECRYPTBYPASSPHRASE and ENCRYPTBYPASSPHRASE for the sensitive columns.
The key was exposed and now they want to change the key.
The most important thing is what is the best practices for storing the pass phrase. The application is a asp.net connecting to a sql server 2008. The sql admins do not want it stored anywhere in the database. But then it will stored in the application server and will be transmitted over the wire.
Secondly, I don't like the fact that I have to decrypt then re-encrypt to change the key. Is there a better was of encrypting the sensitive data.
thanks in advance.
I have a webserver application which receives uploaded files, encrypts and decrypts them using AES256. I encrypted them so a potential hacker, who somehow got into the storage, can't do anything with the files. At the moment every file is being encrypted using the same hard-coded key.
Is it more secure to encrypt every file with an other random key stored in a database, maybe hashed (and salted, too)? Does this even provide a higher level of security? Or can it be worse to store such keys in the database?
key storage is a rather fundamental problem and hard to solve without rather special hardware.
as long as you store the keys on same machine as the encrypted data, an attacker will get both. that doesn't fundamentally change if you just have more keys.
you can't hash / salt the keys either, as hashing is a one-way function and with just the stored hash you yourself (or your app) would not be able to compute the key, so this is pointless.
if practicable, you could enter the key manually when the app server starts, so the key just lives in RAM, not on disk. make sure it doesn't get paged out to swap partition.
if you could encrypt the files clientside (before upload), so only the user has the keys, that would be safer...