column level encryption

Question

column level encryption

Scorzato, Luigi 20

Dear colleagues,

my client wants to encrypt specific columns in a table with different keys (to segregate more than the default encryption at rest).

I see this solution:

https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/encrypt-a-column-of-data

BUT, I understand that it has the following drawbacks:

It is not transparent: the user must explicitly choose the key, encrypt/decrypt the column.
It is hardly portable to other clouds/DBs,
Efficient select/filter/search on the encrypted attribute is compromised because of impossibility of indexing on them.

(Please correct me if any of the above points is wrong.)

Do you know of any (Azure or partner) solution that implements encryption with different key for different columns and is as efficient (and possibly as transparent) as the default databases encryption at rest?

SSingh-MSFT 16,461 Reputation points Moderator

2023-06-29T06:14:53.24+00:00

Hi Scorzato, Luigi •,

Welcome to Microsoft Q&A forum and thanks for using Azure Services.

As I understand, you want to know about column level encryption in Azure SQL Database.

Could you please take a look at the below standard Microsoft documentation for the same and let us know if you have already implemented it and face issue at any step:

https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/encrypt-a-column-of-data?view=sql-server-ver16

https://databasefaqs.com/azure-sql-database-column-encryption/

Awaiting your reply. Thanks
Scorzato, Luigi 20 Reputation points

2023-06-29T08:08:32.7766667+00:00

thank you for your reply. The links you provided use essentially the same logic as the link I provided, and have the same drawbacks. In particular, I cannot have efficient search/filter/select on the encrypted attribute(s) because of lack of index(es). The standard DB encryption at rest does not have this problem because indexes are created by the DB on the unencrypted data and they are then encrypted with the data, transparently to the users.

My question is if any DB in Azure offers the ability to encrypt different columns with different keys, while also building the necessary indexes (based on the plain text values), as it is done by the default encryption at rest.
SSingh-MSFT 16,461 Reputation points Moderator

2023-06-30T05:52:09.62+00:00

Hi Scorzato, Luigi •,

Thanks for the reply.

Let me check on this and get back to you with an update.
SSingh-MSFT 16,461 Reputation points Moderator

2023-07-03T09:19:42.38+00:00

Hi Scorzato, Luigi •,

Glad to know that the below response by Sedat was helpful. Thank you for marking this answer as accepted. This will help others find useful answers faster.

Please feel free to take a survey on the relevant answer. You can help us improve by leaving feedback verbatim.

Was this answer helpful? Yes/No

Have a good day!

Regards,

Shakti

Answer accepted by question author

0 additional answers

Your answer

SSingh-MSFT 16,461 Reputation points Moderator

2023-06-29T06:14:53.24+00:00

Hi Scorzato, Luigi •,

Welcome to Microsoft Q&A forum and thanks for using Azure Services.

As I understand, you want to know about column level encryption in Azure SQL Database.

Could you please take a look at the below standard Microsoft documentation for the same and let us know if you have already implemented it and face issue at any step:

https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/encrypt-a-column-of-data?view=sql-server-ver16

https://databasefaqs.com/azure-sql-database-column-encryption/

Awaiting your reply. Thanks
Scorzato, Luigi 20 Reputation points

2023-06-29T08:08:32.7766667+00:00

thank you for your reply. The links you provided use essentially the same logic as the link I provided, and have the same drawbacks. In particular, I cannot have efficient search/filter/select on the encrypted attribute(s) because of lack of index(es). The standard DB encryption at rest does not have this problem because indexes are created by the DB on the unencrypted data and they are then encrypted with the data, transparently to the users.

My question is if any DB in Azure offers the ability to encrypt different columns with different keys, while also building the necessary indexes (based on the plain text values), as it is done by the default encryption at rest.
SSingh-MSFT 16,461 Reputation points Moderator

2023-06-30T05:52:09.62+00:00

Hi Scorzato, Luigi •,

Thanks for the reply.

Let me check on this and get back to you with an update.
SSingh-MSFT 16,461 Reputation points Moderator

2023-07-03T09:19:42.38+00:00

Hi Scorzato, Luigi •,

Glad to know that the below response by Sedat was helpful. Thank you for marking this answer as accepted. This will help others find useful answers faster.

Please feel free to take a survey on the relevant answer. You can help us improve by leaving feedback verbatim.

Was this answer helpful? Yes/No

Have a good day!

Regards,

Shakti

Answer 1

Hope this links also works for you

https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves-configure-encryption-tsql?view=sql-server-ver16

To answer your question, Azure SQL Database provides a feature called "Always Encrypted with secure enclaves" which allows the creation and use of indexes on columns that are encrypted using deterministic or randomized encryption with enclave-enabled keys. These indexes are sorted based on ciphertext for deterministic encryption, and based on plaintext values for randomized encryption. The key values in the index data structure (B-tree) are encrypted and sorted based on their plaintext values.

There are two methods for invoking indexing operations with column encryption keys:

Provided directly by the client: The application issuing a query that triggers an operation on an index must connect to the database with both Always Encrypted and enclave computations enabled for the database connection. The application must also have access to the column master key protecting the column encryption key for the indexed column. Once SQL Server Engine parses the application query and determines it will need to update an index on an encrypted column to execute the query, it instructs the client driver to release the required column encryption key to the enclave over a secure channel.
Using cached column encryption keys: Once a client application sends a column encryption key to the enclave for processing any query that requires enclave computations, the enclave caches the column encryption key in an internal cache. If the same or another client application used by the same or a different user triggers an operation on an index without providing the required column encryption directly, the enclave will look up the column encryption key in the cache.

As for encrypting different columns with different keys, the documentation on Always Encrypted with secure enclaves does not explicitly mention this. However, the logic of the feature suggests it should be possible, given that different column encryption keys can be used for different columns and these keys can be provided by the client or retrieved from the enclave's internal cache.

Share via

column level encryption

0 additional answers

Your answer