May 5, 2008 at 1:56 pm
Hi all,
Hope you can help with some information.
We are introducing a new company database that is TOP SECRET! on SQL2005. I need to be able to Encrypt the majority of the tables and the rest (only about 10) need to be available for information.
I need to ensure that the data on the backups is encrypted, and all of the other data cannot be accessed either by DBA's or Server Admin - Only the application need to be able to access the un-encrypted data - Can anyone help?
Would be appreciated for any pointers.
May 5, 2008 at 3:09 pm
You might want to look at the new features in SQL Server 2008.
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
May 5, 2008 at 4:55 pm
Encrypting everything in 2005 will cause issues. You can't index well. Think about whether you really need to index all the information or even most of it. If there's any way you can avoid encryption on indexed fields do it. If you can't, build a hash from the data that can be indexed.
You can put a certificate in the application and use that to validate logons.
Be sure you don't encrypt PK/FKs, even if they're just integers since you'll need those clear for performance.
You can protect data with keys that the DBA doesn't have rights to, but you need auditing, since those features in SS2K5 aren't as strong. The DBA could assign him/herself rights to the keys.
If they keys are only in the application, I think it will work, but it gets complicated. You should really engage some security architects/consultants in this area. MCS (microsoft consulting services) should help.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
May 6, 2008 at 5:20 am
First off you need to know if the features of SQL comply with you "TOPSECRET" requirements.
With the Operating System holding the soft encryption keys, it's unlikely to meet many people's understandng of "TOPSECRET".
You're really looking at a hardware based encryption key system, HSD and using API calls to the device to decrypt the data. If this is done on the application server, you DBAs will never know what the data is.
May 6, 2008 at 12:41 pm
Thanks for the information guys, I will have a look into it.
I'm limited to 2005, I want to keep performance and provide maintenance.
Thanks again all,
D
May 12, 2008 at 8:03 am
Maybe can try EncryptByKey if MSSQL 2005, if really want?
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply