best and most secure way to encrypt data

banoo 1

Hello.
I have a program written with .net mvc(c#) and sql server 2014
I want to store some information encrypted in the database.
What is the best and most secure way to encrypt data?
And that encryption is better done in the sql or in C#?

Yijing Sun-MSFT 7,066 Reputation points

2021-06-15T05:40:55.07+00:00

Hi @banoo ,
As far as I think,there won't be a totally secure way.If you only store static data,you should encrypt in SQL. If you have client,you need to store the encrypted value somewhere secure outside of your application(secured database?), or use some external value as part of your decryption process, like a certificate or other private key value.
Best regards,
Yijing Sun
banoo 1 Reputation point

2021-06-15T05:56:50.13+00:00

I want a few columns to be encrypted like passwords or settings or ...
banoo 1 Reputation point

2021-06-15T06:01:27.9+00:00

What is the safest way to encrypt data in .net mvc(c#)?
Thank you for your help
Yijing Sun-MSFT 7,066 Reputation points

2021-06-15T08:58:44.14+00:00

Hi @banoo ,
As far as I think,when it comes to security don't try to reinvent the wheel. Use Claims based authentication.If you still must manage usernames and passwords use Hash-based message authentication code (HMAC).
You could refer to below article:
https://stackoverflow.com/questions/39802164/asp-net-mvc-how-to-hash-password
Best regards,
Yijing Sun
banoo 1 Reputation point

2021-06-17T07:58:29.17+00:00

@Yijing Sun-MSFT @Michael Taylor @Erland Sommarskog @AgaveJoe
Thank you for your answer, dear ones.
It helped me a lot.
One question I have is, is it better to use Sha512 or Bcrypt or HMAC or ... to encrypt the passwords of a web application?
Michael Taylor 48,281 Reputation points

2021-06-17T14:45:44.337+00:00

SHA512 is not secure nor was it designed for that. Again, do not write your own version of this. It is always wrong. Use one of the many available authentication systems already available. Even the framework ships with a version built in. You are not a security expert nor are you keeping up with standards. Let the experts do it for you.

If you must do your own encryption then use the largest key you can support (1K is generally considered minimal) based upon what is available in your framework. Refer to the earlier link I gave around what is supported in .NET. At a minimum you need an algorithm with a really long key (private) and a salt that is random enough to prevent guessing (generally the password itself modified).

Bcrypt is considered the most secure of the lot you specified by many but most secure can vary. It isn't built in so you'll need a library. Refer to this article.

2 answers

Michael Taylor 48,281 Reputation points

2021-06-14T14:21:07.14+00:00

Depends on what your requirements are. If you need to store data even at rest then encryption in SQL is the only way to do that. Otherwise anyone with DB access can read the unencrypted data. But it gets a lot harder as you'll also need to ensure that only specific accounts can decrypt the data otherwise, again, anyone with DB access can read it. Of course this level of security is really only needed for sensitive data that you have no choice but to store for whatever business reasons such as SSNs or CC numbers. Of course the best option is to never store any of this and then encryption isn't needed.

If you need to share data between a client and a server (whatever that means to you) then C# is probably the better route. For example if you're communicating between two machines then HTTPS (already encrypted) is expected. For non-HTTPS then you should encrypt on one side and decrypt on the other, if needed.

As for the mot secure encryption then the general recommendation is asymmetric with the largest key both sides support. Refer to this helpful link in MSDN. You'll want the most secure algorithm with the largest key that you can manage. Of course this is expensive so if you don't need as much security then symmetric is easier but more vulnerable.

.NET docs have a good summary of all this to read.
Please sign in to rate this answer.
Erland Sommarskog 101K Reputation points MVP

2021-06-14T21:55:54.19+00:00

Depends on what your requirements are. If you need to store data even at rest then encryption in SQL is the only way to do that. Otherwise anyone with DB access can read the unencrypted data.

The other way round. You need to encrypt data in the client and store the encrypted values in the database. If SQL Server encrypts, the values can be retrieved with database access only.

SQL 2016 offers the feature Always Encrypted, where encryption indeed occurs in the client, but where SQL Server has knowledge and understanding of that the data is encrypted.

With SQL 2014, you will need to roll your own entirely.

banoo 1 Reputation point

2021-06-15T06:00:13.723+00:00

What is the safest way to encrypt data in .net mvc(c#)?
Thank you for your help

banoo 1 Reputation point

2021-06-15T06:01:36.207+00:00

What is the safest way to encrypt data in .net mvc(c#)?
Thank you for your help

AgaveJoe 26,201 Reputation points

2021-06-15T11:29:14.863+00:00

As explained above, SQL Server comes with encryption services where data at rest is not easily read.

The only reason to encrypt data in MVC, other than using standard SSL, is the design passes sensitive data to the browser. The safest method is to fix the design and stop passing sensitive data to the browser. Can you explain how your MVC application works, what type of data needs encryption, and why the design might pass sensitive data to the browser?

Michael Taylor 48,281 Reputation points

2021-06-15T13:10:23.233+00:00

No, I was talking about using masked columns which is supported in SQL in newer versions for securing specific columns from even the eyes of SSMS. Hence no one other than the limited users/groups who have unmask rights can see the real data. This is commonly used in PII columns like SSN and CC #s as I mentioned. This has to be done at the DB level, in addition to any client side protection you want to use.

Michael Taylor 48,281 Reputation points

2021-06-15T13:16:25.257+00:00

I already gave you the link to the docs that help decide which approach to use based upon your needs. Do you read it yet? Do you understand the difference between asymmetric and symmetric encryption?

If you want a few columns protected then masking is an option. The data is not visible to anyone who doesn't have the unmask rights. You can also encrypt the DB to provide more protection if desired.

For the specific example of a password you will want to encrypt the data before saving to the database using a one-way encryption algorithm. With a password you never need to retrieve it and therefore don't need to be able to decrypt. However you shouldn't be rolling your own. There are plenty of identity systems available. MVC ships with one and there is IdentityServer. They already handle this. Do not build your own. This is always the wrong approach and unsecure.

Erland Sommarskog 101K Reputation points MVP

2021-06-15T21:30:15.847+00:00

No, I was talking about using masked columns which is supported in SQL in newer versions for securing specific columns from even the eyes of SSMS.

Dynamic Data Masking is not encryption. Nor is DDM very good protection against SSMS users - it's quite easy to get the data. DDM is mainly an aide to the application.

And banoo is using SQL 2014, which does not support Dynamic Data Masking.

And if the data is passwords, they should be stored as salted hashes, and not be retrievable at all.
Sign in to comment
Tom Phillips 17,716 Reputation points

2021-06-17T14:41:02.88+00:00

There are several options. The answer to your question depends on who exactly you are trying to hide the encrypted data from?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment