SQL Server Backup Encryption Details

justin 1

Hello,

The Backup Encryption page mentions AES 256 can be used for encrypting backups. However, it does not go into IV generation, Cipher block mode, or Authentication of backups. https://learn.microsoft.com/en-us/sql/relational-databases/backup-restore/backup-encryption?view=sql-server-ver15

If AES 256 is selected, is the algorithm AEAD_AES_256_CBC_HMAC_SHA_256 used?

Thanks

1 answer

CathyJi-MSFT 21,121 Reputation points Microsoft Vendor

2020-08-26T06:57:59.007+00:00

Hi @ justin-7809，

> If AES 256 select, is the algorithm AEAD_AES_256_CBC_HMAC_SHA_256 used?

No. AES 256 is one Encryption Algorithm for backup encryption. Always Encrypted uses the AEAD_AES_256_CBC_HMAC_SHA_256 algorithm to encrypt data in the database. Refer to Data Encryption Algorithm.

Best regards,
Cathy
Please sign in to rate this answer.

1 person found this answer helpful.
justin 1 Reputation point

2020-08-26T14:33:26.47+00:00

Thanks Cathy,

Can you go into a bit more detail about encrypted backups?

In cryptography, "AES 128", "AES 256", etc. alone would only allow a single block of data to be encrypted. A block cipher mode (CBC,CTR, GCM, etc.) would be needed to encrypt multiple blocks of data. Additionally, AES 256 alone doesn't provide authentication checks, meaning the ciphertext can be tampered with. For non-authenticated block cipher modes (CBC, CTR, etc.), it's common to see HMAC being used to verify ciphertext is not modified. These details are not mentioned on the encryption backup page, and are necessary to understand how secure backups are.

This information, as you mentioned, is clearly stated on the "Data Encryption Algorithm" section for the "always encrypted" feature. It's unclear if encrypted backups provide the same level of cryptographic security, as only the ciphers ("AES 128"," AES 256", etc) are stated.

CathyJi-MSFT 21,121 Reputation points Microsoft Vendor

2020-08-27T09:07:11.743+00:00

Hi @justin ，

To encrypt a backup we need to configure an encryption algorithm (supported encryption algorithms are: AES 128, AES 192, AES 256, and Triple DES) and an encryptor (a certificate or asymmetric key). It seem security for this backup. I do not know more about encryption algorithm. Please check if below blogs could help you.

Understanding AES 256 Encryption
Advanced Encryption Standard (AES)

Best regards,
Cathy

===============================================

If the response helped, do "Accept Answer" and upvote it.

justin 1 Reputation point

2020-08-27T16:00:04.467+00:00

Thanks Cathy,

I apologize if my question is not clear, but I am not asking about the details of the underlying cipher (AES 128, AES 192, AES 256, etc.). My question is related to which cipher block mode is being used, how IV are generated , and if backups are verified to not be modified through authenticated encryption.

As these questions are pretty technical, can you please consult with the SQL Server engineering/cryptography team for a detailed response?

Thank you.

CathyJi-MSFT 21,121 Reputation points Microsoft Vendor

2020-08-28T07:38:16.317+00:00

Hi @justin ，

Maybe you can ask professional engineer for help, https://support.microsoft.com/en-us/assistedsupportproducts
Sign in to comment

Share via

SQL Server Backup Encryption Details

1 answer