Always Encrypted - Security

Sakthi 121 Reputation points
2023-04-21T06:18:56.72+00:00

I have a security related question regarding the Always encrypted option, I understand that we can encrypt the sensitive data in the column using Column master key and column encryption key and it can be saved in the Azure Key Vault.

However, we can access the decrypted data using SSMS (by enabling the Always Encrypted option). Now, if the hacker hacks the server, then the hacker will be able to read the sensitive data using SSMS by just knowing the username/Password of the SQL DB.

Can you please suggest how can we make it secure so that the hacker will not be able to read the data no matter even if the server is hacked?

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,853 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ronen Ariely 15,096 Reputation points
    2023-04-23T01:45:28.4+00:00

    Hi,

    Can you please suggest how can we make it secure so that the hacker will not be able to read the data no matter even if the server is hacked?

    The basic idea of Always Encrypted is that the encryption keys is never revealed to the Database Engine, so it has no meaning if the server is hacked https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver16&WT.mc_id=DP-MVP-5001699 According to your description you stored the key in the Azure Key Vault, which mean that as long as the client cannot connect to it then it cannot use it.

    0 comments No comments

0 additional answers

Sort by: Most helpful