sql server 加密

So, your manager wants you to figure out how to encrypt sensitive Data? Well, Microsoft has introduced a fairly easy way to configure feature called Always Encrypted.

因此，您的经理希望您找出如何加密敏感数据？ 好吧，微软推出了一种相当简单的方法来配置称为始终加密的功能。

它是什么？ (What is it?)

Always Encrypted was introduced in SQL Server 2016 and is now featured in Azure. It is an encryption feature that is intended to protect select sensitive data such as credit card numbers and social security numbers. It allows clients to encrypt important data inside the application and never expose the encryption keys to the SQL Database (or Azure) engine. This creates a type of separation between those who actually owns the data and those who are stewards to the data. This ensures that this sensitive data cannot be accessed by on site database administrators (or cloud administrators) and any user who is not authorized to access it. This gives a great deal of comfort to the end users to store this type of information.

“始终加密”是在SQL Server 2016中引入的，现在在Azure中具有。 它是一种加密功能，旨在保护某些敏感数据，例如信用卡号和社会保险号。 它允许客户端对应用程序内部的重要数据进行加密，而永远不会将加密密钥公开给SQL数据库（或Azure）引擎。 这就在实际拥有数据的人和管家对数据的人之间建立了一种分隔。 这样可以确保本地数据库管理员（或云管理员）和任何未经授权访问该数据的用户都无法访问此敏感数据。 这给最终用户存储此类信息提供了极大的便利。

内部概述 (Internals overview)

Always encrypted is granular in that you can set it up on individual columns within a table that contains sensitive data. Encryption algorithms and keys must be specified. Always encrypted utilizes two types of keys, column encryption keys and column master keys. The column encryption key is used to encrypt the actual data within a column. The column master key is used to encrypt one more column encryption keys. The column master key is stored in a trusted key store externally (think Windows Certificate store on a client machine, or Azure Key Vault if you want to get fancy!).

始终加密是精细的，因为您可以在包含敏感数据的表中的各个列上进行设置。 必须指定加密算法和密钥。 始终加密使用两种类型的密钥：列加密密钥和列主密钥。 列加密密钥用于加密列中的实际数据。 列主密钥用于再加密一个列加密密钥。 列主密钥存储在外部的受信任密钥存储区中（请考虑在客户端计算机上安装Windows证书存储库，或者如果想获得花哨，可以使用Azure Key Vault！）。

Once the keys are taken care of, the database engine stores the encryption configuration of the columns within the metadata of the database. Within this metadata, the encrypted values of the column encryption keys can be found (so the keys aren’t kept in plain text either, follow closely now…) along with the location of the column master keys.

密钥处理完毕后，数据库引擎将列的加密配置存储在数据库的元数据中。 在此元数据中，可以找到列加密密钥的加密值（因此密钥也不会以纯文本形式保存，请立即关注……）以及列主密钥的位置。

我们如何查看加密的数据？ (How do we view the encrypted data?)

In order to view the data in an encrypted column in plain text, the front-end application must use a special driver. This is referred to as an Always Encrypted enabled driver. The way this works is that when the application invokes a stored procedure that accepts parameters which reference encrypted columns the driver works with the database engine to obtain the necessary information in order to return the value. This is where the metadata comes in, the driver can obtain the encryption algorithm information as well as the location of the column encryption key.

为了以纯文本格式查看加密列中的数据，前端应用程序必须使用特殊的驱动程序。 这称为启用了始终加密的驱动程序。 这种工作方式是，当应用程序调用接受引用加密列的参数的存储过程时，驱动程序将与数据库引擎配合使用以获取必要的信息以返回该值。 这是元数据进入的位置，驱动程序可以获取加密算法信息以及列加密密钥的位置。

Once it finds the location of the encryption key, the driver will contact the key store so it can use the column master key to decrypt the encrypted column encryption key. Once it decrypts the column encryption key, it will cache the plain text result of the key (so it doesn’t have to go through this entire process for each piece of data returned). The driver is then able to take the values of the parameters in the stored procedure and substitute what was input with the encrypted values and sends it to the query processor.

一旦找到加密密钥的位置，驱动程序将联系密钥存储，以便它可以使用列主密钥来解密加密的列加密密钥。 解密列加密密钥后，它将缓存密钥的纯文本结果（因此，不必为返回的每个数据完成整个过程）。 然后，驱动程序可以获取存储过程中参数的值，并用加密的值替换输入的内容，并将其发送给查询处理器。

Once the server id finished grabbing the result set, including encrypted columns, the driver uses the encryption metadata for the corresponding columns with the relative encryption algorithm and the keys. The driver will then utilize the encryption key stored in cache (if it can’t find it, it will make another trip to the certificate store as noted in the above paragraph). The driver will then begin to decrypt the results and presents the plain text information to the application.

服务器ID完成获取包含加密列的结果集后，驱动程序将使用带有相对加密算法和密钥的相应列的加密元数据。 然后，驱动程序将利用存储在缓存中的加密密钥（如果找不到它，它将再次访问证书存储，如上一段所述）。 然后，驱动程序将开始解密结果，并将纯文本信息提供给应用程序。

什么时候不应该使用它？ (When should I NOT use it?)

Always Encrypted is not recommended for encrypting an entire database. Range scan queries will not work as SQL Server can’t do a string search inside the contents of an encrypted column and full text indexes are not supported. A better option would be TDE (Transparent Data Encryption). The drawbacks of TDE are that it only encrypts the data at rest (and the backup files are also encrypted by default). The data is not encrypted in transit or “in flight”.

不建议使用“始终加密”来加密整个数据库。 范围扫描查询将不起作用，因为SQL Server无法在加密列的内容内进行字符串搜索，并且不支持全文索引。 更好的选择是TDE（透明数据加密）。 TDE的缺点是它仅加密静态数据（默认情况下还加密备份文件）。 数据在运输或“飞行中”未加密。

You should also avoid this feature if you’re not utilizing the latest. Net libraries. This is a very new feature and you must ensure proper compatibility with your application and drivers. I urge you to do plenty of research and testing on your own as details regarding the libraries and drivers are beyond the scope of this article.

如果您不使用最新功能，还应该避免使用此功能。 网络库。 这是一项非常新的功能，您必须确保与您的应用程序和驱动程序正确兼容。 我敦促您自己进行大量研究和测试，因为有关库和驱动程序的详细信息不在本文的讨论范围之内。

设置方法： (How to set it up:)

Utilizing the Always Encrypted Wizard is probably the best way to get started with the process.

使用始终加密向导可能是开始该过程的最佳方法。

Open up SSMS, right click a database and select tasks -> Encrypt Columns

打开SSMS，右键单击数据库，然后选择任务->加密列

Go past the introduction screen:

跳过介绍屏幕：

On the next screen, expand the tables and select the column(s) that you want to encrypt:

在下一个屏幕上，展开表，然后选择要加密的列：

After selecting the column, select the encryption type and the encryption key. (If the encryption key has not yet been created, just leave it as Auto).

选择该列后，选择加密类型和加密密钥。 （如果尚未创建加密密钥，请将其保留为“自动”）。

The encryption type can be either Deterministic or Randomized. What’s the difference?

加密类型可以是确定性的或随机的。 有什么不同？

Deterministic encryptions always generate the same encrypted value for any given plaintext value. This is less secure but more functional in that it allows lookups, equality joins, grouping, indexing on encrypted columns. It likely creates “friendlier” execution plans.

对于任何给定的明文值，确定性加密始终会生成相同的加密值。 这种方法不太安全，但功能更多，因为它允许在加密列上进行查找，相等联接，分组，索引。 它可能会创建“更友好的”执行计划。

Randomized encryption is the opposite of deterministic in that it doesn’t use the same encrypted value for a plain text value. It is less predictable and thus far more secure. You will suffer a performance hit, however, in that you will not be able to utilize searching, grouping, indexing and joining on encrypted columns.

随机加密与确定性相反，因为对于纯文本值，它不使用相同的加密值。 它难以预测，因此更加安全。 但是，您将遭受性能损失，因为您将无法在加密列上利用搜索，分组，索引和联接。

Next, choose the options for the master key.  Autogenerate in this case, and I’m storing it in the Windows Certificate store (though you can use Azure as well).

接下来，选择主密钥的选项。 在这种情况下会自动生成，我将其存储在Windows证书存储区中（尽管您也可以使用Azure）。

Choose to run now or save as a PowerShell script (not a bad idea to hold on to the configuration!).

选择立即运行或另存为PowerShell脚本（保留配置不是一个坏主意！）。

Watch the progress and wait for completion.

观察进度并等待完成。

Once it’s completed successfully, do a quick select from the table and see that all the social security numbers are now encrypted.

成功完成后，从表中进行快速选择，然后可以看到所有的社会保险号现在都已加密。

I hope you found this overview of Always Encrypted useful. It can be very powerful and provide great value to your organization if you’re in need of encrypting sensitive data at rest and in transit.

我希望您对“始终加密”概述有帮助。 如果您需要对静态和传输中的敏感数据进行加密，它可以非常强大并为您的组织提供巨大价值。

也可以看看 (See also)

Interested in an enterprise-level auditing and compliance solution for GDPR, HIPAA, PCI and more, including tamper-proof repository, fail-over/fault tolerant auditing, sophisticated filters, alerting and reports? Consider ApexSQL Audit for SQL Server.

对GDPR，HIPAA和PCI等企业级审核和合规性解决方案感兴趣，包括防篡改存储库，容错/容错审核，复杂的过滤器，警报和报告？ 考虑针对SQL Server的ApexSQL审核 。

翻译自: https://www.sqlshack.com/is-sql-server-always-encrypted-for-sensitive-data-encryption-right-for-your-environment/

sql server 加密