forced encryption and tls

Mudit Gupta 81 Reputation points
2022-02-01T21:22:33.077+00:00

Hello
I am trying to understand what does TLS1.2 do and is there any correlation between TLS1.2 & Forced Encrypted option .

As I understand, TLS1.2 is a security protocol which encrypts end to end network traffic. It does nothing to Data itself. Data is unencrypted.

And how about Connection? Isn't connection also unencrypted even though TLS1.2 is enabled ? Because, When I query sys.dm_exec_connections , I see Encrypt_option = False ( TLS1.2 is enabled).

However, when Forced_encryption is enabled from Sql Server Configuration manager, Encrypt_option = True.

Another question : what good is Forced_Encryption , if Server Certificate is not chosen. For eg, I only opt for Forced_encryption = yes, but do nothing on Certificate tab in SQL Server Config manager.

Thanks

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,696 questions
0 comments No comments
{count} votes

Accepted answer
  1. CathyJi-MSFT 21,086 Reputation points Microsoft Vendor
    2022-02-02T03:16:14.57+00:00

    Hi @Mudit Gupta ,

    > And how about Connection? Isn't connection also unencrypted even though TLS1.2 is enabled ?

    Yes, you are right.

    There are requirements and necessary steps to utilize the TLS encryption:

    •Check the prerequisites for certificate management and usage
    •Review existing trusted TLS certificate from certification stores (local machine or current user)
    •Configure SQL Server protocols for a desired SQL Server instance and enable encryption forcing option

    You see Encrypt_option = False ( TLS1.2 is enabled) due to you did not enable encryption forcing option.

    > what good is Forced_Encryption , if Server Certificate is not chosen. For eg, I only opt for Forced_encryption = yes, but do nothing on Certificate tab in SQL Server Config manager.

    We can encrypt with self-signed certificate, but TLS connections that are encrypted by using a self-signed certificate do not provide strong security. They are susceptible to man-in-the-middle attacks. You should not rely on TLS using self-signed certificates in a production environment or on servers that are connected to the Internet.

    If you want to get more information about this, please read below MS document.

    Enable encrypted connections to the Database Engine


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".


0 additional answers

Sort by: Most helpful