encription software for database

Discussion in 'Databases' started by cis19wcom00, Oct 21, 2010.

Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.
  1. cis19wcom00

    cis19wcom00

    I would like to know what software to use to encrypt the sensitive information in sql2008 database in discountasp.net server?
     
    cis19wcom00, Oct 21, 2010
    #1
  2. dmitri

    dmitri DiscountASP.NET Staff

    You do not have to use any specific software to encrypt your SQL Server database data. You can use SQL Server's native encryption mechanism called Symmetric Key Encryption to encrypt your sensitive data. For more information on Symmetric Key Encryption please refer to Microsoft Books Online or see the following tutorials:

    Tutorial 1
    Tutorial 2
     
    dmitri, Oct 21, 2010
    #2
  3. cis19wcom00

    cis19wcom00

    Thanks dimitris for the reply. However, I am wondering if I encrypt the datbase, decription would be transparent to people who have trusted their sensitive information to my database? Do I need to pass a key or something for the end user to enable them to access the their information in my dadtbase?
     
    cis19wcom00, Oct 21, 2010
    #3
  4. dmitri

    dmitri DiscountASP.NET Staff

    If you encrypt data in your database, the data cannot be read by anyone and decryption will not be possible to anyone as well unless a person has the symmetric key with which the data was encrypted. Yes, you will need to pass the symmetric key with which the data was encrypted to the end user.
     
    dmitri, Oct 22, 2010
    #4
  5. cis19wcom00

    cis19wcom00

    Thanks again demitri,

    1. Let's say I pass the key to 10 users. Is this one time deal or I need to change the key every time I encrypt?

    2. Also, let's assume I have created a customer account user interface that users can open an account in my site and leave their sensitive information in the database. Do I need to write software to make it "user friendly" for the customers with key to do shopping in the site?
     
    cis19wcom00, Oct 22, 2010
    #5
  6. dmitri

    dmitri DiscountASP.NET Staff

    You can encrypt your data with the same key and you do not have to change this key. The "user" that has to have a key is the software or T-SQL code that will access your database. The end users or customers do not have to know about this key and the encryption mechanism you are using. The users will be interning or querying their data, and the software will do encryption/decryption behind the scene. The user interface should always be user friendly and simple.

    Also note that this is column-level encryption. In contrast to database-level encryption, you can create several symmetric key to encrypt different peaces of your data.
     
    dmitri, Oct 22, 2010
    #6
  7. cis19wcom00

    cis19wcom00

    Dmitri, thanks again and sorry for my lack of knowledge of encryption/decryption.

    So, let's say I encript and write some code or T-SQL to decript it.
    1. Is the key embeded in the code or T-SQL?
    2. can support people of discountASP.net access this code to get the key and access the sensitive information of end users?
    3. Does the end user/customer access their sensitive information "transparently", and will not notice that data is being decrypted (except some minor delay for decription)?
     
    cis19wcom00, Oct 22, 2010
    #7
  8. dmitri

    dmitri DiscountASP.NET Staff

    Symmetric keys are encrypted by Database master keys. Database master keys are protected by the Service Master Key. The Service Master Key is created by SQL Server setup and is encrypted with the Windows Data Protection API. Thus those keys cannot be accessible by anyone. It is up to you as the developer to either embed the keys in your T-SQL code or not. Somehow your code will need to have an access to it. Theoretically, you can embed your keys in stored procedures and encrypt those procedures as well using the WITH ENCRYPTION clause. I am saying theoretically, because I personally did not try to do it. You are welcome to try it and let us know if it worked. Or let's just wait until someone else who knows more about encryption reply to this thread. Again, your customers should not see the details of how your application handles the encryption.
     
    dmitri, Oct 22, 2010
    #8
Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.

Share This Page