Blog Post

Using Cell-Level Encryption in SQL Server

Industry guidance such as the Payment Card Industry Data Security Standard (PCI-DSS), Healthcare Insurance Portability and Accountability Act (HIPAA) and numerous state privacy breach notification laws require the use of encryption for sensitive data such as credit card numbers, security related data etc. To meet these compliance and regulatory requirements, SQL Server provides users the choice between transport-level encryption, cell-level encryption, full database-level encryption by using TDE, or the file-level encryption options provided by Windows. I’ve already discussed the database-level and transport-level encryption in my previous blog posts here and here respectively. In this blog post, I’m going to show you the implementation of cell-level encryption.

What is Cell-level encryption?

The Cell-level encryption is a series of built-ins and the key management hierarchy. This option follows a manual process that requires a redesign of the application to call the encryption and decryption functions. In addition, you also must modify the schema to store the data as varbinary and then recast back to appropriate data type when read.

The SQL Server encryption key hierarchy

Microsoft Reference: http://technet.microsoft.com/en-us/library/cc966395.aspx

Comparing the Cell-level encryption options

When encrypting data, you need to choose the most appropriate encryption options. The options available are described as follow:

  • Passphrase – A password that can contain spaces. A passphrase is the least secure option. It requires you to use the same passphrase when encrypting and decrypting the data. If stored procedures and functions aren’t encrypted, the passphrase is accessible through metadata.
  • Asymmetric key – Offers strong protection by using a different key to encrypt and decrypt the data. However, it provides poor performance and shouldn’t be used to encrypt large values. Can be signed by the database master key or created using a password.
  • Symmetric key – Offers good performance and is strong enough for most requirements. Uses the same key to encrypt and decrypt the data.
  • Certificate – Offers strong protection and good performance. Can be associated with a user. A certificate must be signed by the database master key.

Important Built-In functions for Cell-level encryption

Encryption

Decryption

Demo: Cell-level Encryption

For the purpose of this demo, I’m going to use AdventureWork2012 database.

Create Database Master Key (DMK):

USE AdventureWorks2012
GO
-- Creates a database master key encrypted by password $Str0nGPa$$w0rd
CREATE MASTER KEY ENCRYPTION BY PASSWORD  = '$tr0nGPa$$w0rd' 
GO

 
Encrypting data using Symmetric Key encrypted by Asymmetric Key – The purpose of creating is the Asymmetric key is to encrypt our Symmetric Key.

Create Asymmetric Key:

USE AdventureWorks2012
GO
-- Creates an asymmetric key encrypted by password '$e1ectPa$$w0rd'
CREATE ASYMMETRIC KEY MyAsymmetricKey 
    WITH ALGORITHM = RSA_2048
    ENCRYPTION BY PASSWORD  = '$e1ectPa$$w0rd'
GO

 

Execute the query below, to view the information about asymmetric key:

USE [AdventureWorks2012]
GO
SELECT * FROM [sys].[asymmetric_keys] 
GO

 

Create Symmetric Key:

USE [AdventureWorks2012]
GO
-- Creates an symmetric key encrypted by asymmetric key
CREATE SYMMETRIC KEY MySymmetricKey
    WITH ALGORITHM = AES_256  
    ENCRYPTION BY ASYMMETRIC KEY MyAsymmetricKey
GO

 

Execute the query below, to view the information about symmetric key:

USE [AdventureWorks2012]
GO
SELECT * FROM [sys].[symmetric_keys] 
GO

 

For demonstration purposes, I’m going to create a table called TestEncryption. This table has three columns Name, CreditCardNumber and EncryptedCreditCardNumnber. The EncryptedCreatedCardNumber stores the encrypted credit card number stored in CreditCardNumber column. Also insert some dummy data into this table for demonstration purposes. Execute the following code to create this table and insert dummy data:

USE [AdventureWorks2012]
GO
CREATE TABLE TestEncryption
([Name]                            [varchar] (256)
,[CreditCardNumber]                [varchar](16)
,[EncryptedCreditCardNumber]       [varbinary](max))
GO
INSERT INTO TestEncryption ([Name], [CreditCardNumber])
SELECT 'Simon Jones', '9876123456782378'
UNION ALL
SELECT 'Kim Brian', '1234567898765432'
GO
SELECT * FROM TestEncryption
GO

 
ResultSet:

USE [AdventureWorks2012]
GO
-- Opening the symmetric key
OPEN SYMMETRIC KEY MySymmetricKey
DECRYPTION BY ASYMMETRIC KEY MyAsymmetricKey 
WITH PASSWORD  = '$e1ectPa$$w0rd'
GO

 

Execute the following query returns the list of opened key:

USE [AdventureWorks2012]
GO
SELECT * FROM [sys].[openkeys]
GO

 

Now execute the following script update the TestEncryption table to insert the values in EncryptedCreditCardNumbers column from CreditCardNumbers column:

USE [AdventureWorks2012]
GO
--As you can see we are using ENCRYPTBYKEY function to encrypt the column values
UPDATE TestEncryption
SET [EncryptedCreditCardNumber] = ENCRYPTBYKEY(KEY_GUID('MySymmetricKey'), CreditCardNumber)
GO

 

Once successfully executed, Verify the value inside EncryptedCreditCardNumber column by running the following query:

USE [AdventureWorks2012]
GO
SELECT * FROM [TestEncryption]
GO

 
ResultSet:

Executing the following query to retrieve the data inside EncryptedCreditCardNumber column using DECRYPTBYKEY encryption function:

USE [AdventureWorks2012]
GO
SELECT CONVERT([varchar](16), DECRYPTBYKEY([EncryptedCreditCardNumber]))
 FROM [TestEncryption]
GO

 
ResultSet:

Encrypting data using symmetric key encrypted using Passphrase – In this script, The data is encrypted using symmetric key using Phaseprase (see below):

USE [AdventureWorks2012]
GO
-- Creating symmetric key encrypted by password
CREATE SYMMETRIC KEY MySymmetricKeyPwd
    WITH ALGORITHM = AES_256    
    ENCRYPTION BY PASSWORD = 'RememberMe!' 
GO
-- Opening the symmetric key
OPEN SYMMETRIC KEY MySymmetricKeyPwd
DECRYPTION BY PASSWORD = 'RememberMe!' 
GO
-- Add EncryptedCreditCardNumber2 column in the Test encryption table. 
-- This column stores the data encrypted using key encrypted by Passphrase. 
ALTER TABLE TestEncryption
ADD [EncryptedCreditCardNumber2] [varbinary](max)
GO
--As you can see we are using ENCRYPTBYKEY function to encrypt the column values
UPDATE [TestEncryption]
SET [EncryptedCreditCardNumber2] = ENCRYPTBYKEY(KEY_GUID('MySymmetricKeyPwd'), CreditCardNumber)
GO
SELECT * FROM [TestEncryption]
GO

 
ResultSet:

Encrypting data using Certificate – You can also encrypt the data using Certificate as follow:

USE [AdventureWorks2012]
GO
-- Creates a certificate 
CREATE CERTIFICATE MyCertificate
   WITH SUBJECT = 'Demo Cert', 
   EXPIRY_DATE = '10/31/2050'
GO
-- Creating symmetric key encrypted by password
CREATE SYMMETRIC KEY MySymmetricKeyCert
    WITH ALGORITHM = AES_256    
    ENCRYPTION BY CERTIFICATE MyCertificate
GO
-- Opening the symmetric key
OPEN SYMMETRIC KEY MySymmetricKeyCert
DECRYPTION BY CERTIFICATE MyCertificate 
GO
-- Add two more columns in the Test encryption table. 
-- EncryptedCreditCardNumber3 column stores the data encrypted directly using certificate. 
-- EncryptedCreditCardNumber4 column stores the data encrypted key encrypted using certificate.
ALTER TABLE TestEncryption
ADD [EncryptedCreditCardNumber3] [varbinary](max),
    [EncryptedCreditCardNumber4] [varbinary](max)
GO
--You either encrypt the data directly using certificate
UPDATE [TestEncryption]
SET [EncryptedCreditCardNumber3] = ENCRYPTBYCERT(CERT_ID('MyCertificate'), CreditCardNumber)
GO
SELECT * FROM sys.certificates
--You either encrypt the data directly using certificate
UPDATE [TestEncryption]
SET [EncryptedCreditCardNumber4] = ENCRYPTBYKEY(KEY_GUID('MySymmetricKeyCert'), CreditCardNumber)
GO
-- Examine the encrypted columns
SELECT [EncryptedCreditCardNumber3] 
      ,[EncryptedCreditCardNumber4]
FROM [TestEncryption]
GO
-- Reading data by decrypting data of [EncryptedCreditCardNumber3] using DECRYPTBYCERT function
SELECT CONVERT([varchar](16), 
            DECRYPTBYCERT(CERT_ID('MyCertificate')
           ,[EncryptedCreditCardNumber3])) AS [CreditCardNumber]
 FROM [TestEncryption]
GO
-- Reading data by decrypting data of [EncryptedCreditCardNumber4] using DECRYPTBYKEY function
SELECT CONVERT([varchar](16)
            ,DECRYPTBYKEY([EncryptedCreditCardNumber4])) AS [CreditCardNumber]
 FROM [TestEncryption]
GO

 
ResultSet:

Benefits of using Cell-level encryption

  • Cell-level encryption offers more granular level of encryption.
  • Data is not decrypted until it is used so that even the page is loaded into memory, sensitive data is not in clear text.
  • Key can be assigned to users and protect by password to prevent automatic decryption.

Drawbacks of using Cell-level encryption

  • Administrator is burdened with maintaining the keys.
  • For cell-level encryption, the performance impact on SQL Server optimization is 20% more than it is for Transparent Data Encryption (TDE).

Conclusion

Encryption is the process of hiding data using a key or password. This can make the data useless without the corresponding decryption key or password. Encryption does not solve the problems of access control. However, it improves security by limiting data loss even if access controls are omitted.

References

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating