SSRG International Journal of Computer Science and Engineering (SSRG-IJCSE) – Volume X Issue Y–Month 2018

Popular SQL Server Database Encryption

Choices
Sourav Mukherjee
Senior Database Administrator &
PhD student at University of the Cumberlands
Chicago, United States
smukherjee3818@ucumberlands.edu

Abstract some, or all the below features. Now, Vormetric

This article gives the overview of different database Transparent encryption is not developed by Microsoft.
encryption choices in SQL Server. Which one works This is developed by Vormetric Inc, a San Jose based
best in which situation. In today’s world Data is more company that works on data security platform services.
crucial than the expensive hardware cost. No one This product is tightly integrated to other encryption
wants their personal data to be comprised. Same for product keys, such as IBM’s Guardium Data Encryp-
business houses as well and they also do not want tion, Oracle’s Transparent Data Encryption (TDE) and
their data to be inappropriately handled to go out of Microsoft SQL Server TDE, in addition to Vormetric
the business. To help protect the public rights and keys.
safety, recently this year, the European Union had
come up with strict rules and regulation of GDPR Let’s move on with the features of each of the four
(General Data Protection Regulation). encryption models,

Keywords— Always Encrypted, Transparent Data • Always Encrypted (AE)

Encryption (TDE), Cell Level Encryption (CLE), Dy- • Transparent Data Encryption (TDE) & Cell Lev-
namic Data Masking (DDM), Vormetric Transparent el Encryption (CLE)
Encryption (VTE), Encryption, Data Recovery. • Dynamic Data Masking (DDE)
• Vormetric Transparent Encryption (VTE)
I. INTRODUCTION
In today’s world, data is more crucial than the ex- Now, when the entire IT world is concerned about
pensive hardware cost. No one wants their personal data security, protection, vulnerability management,
data to be comprised. Same goes with business houses let's quickly check how Transparent Data Encryption
as well; they also do not want their data to be Inappro- (TDE) or Always Encrypted (AE) can help solve some
priately handled to go out of the business. To help of the problems.
protect the public rights and safety, the European Un-
ion had come up with strict rules and regulation of The new Always Encrypted feature introduced in SQL
GDPR (General Data Protection Regulation) this year. 2016 allows the database administrators to encrypt
Now, this regulation is confined to EU Economic Area sensitive data inside an application—without having
and Territory. I’m sure other developed and develop- to reveal the encryption keys to the SQL database or
ing countries will also bring their own territorial rules server.
and guidelines sooner or later to strictly adhere to the
data privacy rules in protecting confidential customer Whereas, Transparent Data Encryption (TDE) and
details. Anyway, this article is not related to the dis- Cell Level Encryption (CLE) encrypt an entire data-
cussion about GDPR. However, the focus of this arti- base while at rest (at disk level), Always Encrypted
cle is to talk about some of the excellent features de- encrypts at the column level but with several addition-
veloped by Microsoft to handle the data encryption, al benefits (on the wire).
that is, how to implement more security features to the
SQL Server software bundle (except the last feature). The client-side application is entirely uninformed of
the implementation of TDE or the CLE and no such
The area of topic of discussion here is about the fol- software is installed on the client-side system. All
lowing list of four topics which are widely used and such encryption tasks are carried out by the SQL
adopted by the organizations. By and large, every or- Server database alone.
ganization nowadays does have the Cybersecurity
team. Further, many organizations have extended this The below diagram will show case about how a
arm to define their corporate security best practices. Transparent Encryption logic or algorithm functions.
They do check out the ways the organization’s valua-
ble data assets can be protected and if they use Mi-
crosoft SQL Server to store data, then they use any,

ISSN: 2231 – 2803 www.internationaljournalssrg.org Page 1

 SSRG International Journal of Computer Science and Engineering (SSRG-IJCSE) – Volume X Issue Y–Month 2018

Fig 2: Always Encrypted Process [1]

Why I do prefer Always Encrypted in comparison

with Transparent Data Encrypted is:

Always Encrypted can encrypt the data at the column

level, rather than at the whole database level which is
for Transparent Data Encrypted. So, you get a more
granular choice to implementing the encryption. Is not
that great?

Fig 1: Transparent Data Encryption Process [2] • In Always Encrypted the data is encrypted both at
rest and in the memory and where the decryption
Basically, if you want your database backup to be pro- logic is defined at the Client side and it is done by
tected then TDE works v well. If you implement TDE Client Driver. This signifies that one can shield
in the source server and if you want to restore data- the data from harmful threats (by admins and by
base to another server then you need a master key, the man sitting in the middle to attack).
certificate to restore. Think about how you open your • Whereas Transparent Data Encryption (TDE) can
locker in the bank. One key is with you and the other only offer encryption at rest and that means not
key is with the ban professional to implement an extra fully secured.
layer on protection.
However, there are some limitations to the implemen-
On the other hand, the Always Encrypted (AE) pro- tation of Always Encrypted.
vides transparent encryption from the database to cli-
ent applications. This AE feature is improved upon
• It can be just a single column which is so far for
TDE by providing extra layer of encryption of sensi-
AE.
tive data in memory and in transit, as well as at rest.
The Always Encrypted-enabled driver actually per- • To implement this feature, modification of the
forms the encryption and the decryption of the appli- existing applications may be required.
cation. The owner of the information can then govern • You can’t involve tempdb to include part of AE
any potential leakage to database administrators by • Columns that are using one of the subsequent
preserving the decryption keys so that administrators datatypes such as: xml, timestamp, rowversion,
do not have incidental access to sensitive data. By image, ntext, text, sql_variant, geography, hierar-
contrast, the database administrator has access to the chyid, alias, geometry, user defined-types, etc.
encryption keys with TDE by using the master key • Some of the encrypted data types may require a
and the certificates. “_bin2” collation type, which may require few
DDL code changes.
The below diagram shows that how the Always En- • Your application will need to be compatible
crypted process typically works. with .NET 4.6. If not, may not work.
• The application administrator will need to fully
understand the encryption keys to ensure that they
are protected—both from the

ISSN: 2231 – 2803 www.internationaljournalssrg.org Page 2

 SSRG International Journal of Computer Science and Engineering (SSRG-IJCSE) – Volume X Issue Y–Month 2018

• Database administrators and other unintended designated users. It has few simple masking functions
audiences. which are either inbuilt or you can customize based on
• The encryption keys will also need to be backed your own need and through that you can prevent users
up for disaster recovery. to few unmasked data.
• Adding AE may increase your database size and
CPU usage (especially for database writes) and The beauty of this feature is that it does not require
adding encryption may also prevent any dedupli- any coding effort from the application side or encrypt-
cation algorithms. ing or applying any change to the real data stored in
• Some of the SQL Server features such as replica- the disk.
tion are not currently supported in all editions. In-
stead you might have to upgrade to costlier Enter-
prise Edition.

One significant restriction of Always Encrypted is that

it can only be applied to a limited subset of SQL oper-
ations. Many such SQL operations are complex and
cannot be handled by Always Encrypted.

Also, note that–

• The Always Encrypted feature provides an entry-

level additional level of security for sensitive data Fig 3: Dynamic Data Masking Process
that may allow for reduction in administrator
costs. Yet, the requirements tend to depend on One example of DDM which I can think of is that
new application development rather than tweak- when calling the customer care of credit card company,
ing the existing systems. they validate either last 4 or 6 digits of SSN number or
• Many complex SQL operations tasks may not any other sensitive customer data. If the application
work with Always Encrypted feature. I would on- does support DDM, the call center agent may only ask
ly commend using Always Encrypted feature if few digits of the number rather asking for the entire
the application design and architecture is fairly sensitive number. This is a cool way of handling or
simple and straight forward. protecting customer data.

For example, you may want to use Always Encrypted There are four masking function in which are used to
to send data from a SQL Server database which is mask the data:
hosted internally to a web-based SQL Server database
and application. The data will be safe guarded in the • Default
transition and will be encrypted in the database. If
your web application does basic SQL queries at the • Random
database layer, this method can work well.

Dynamic Data Masking (DDM)

Dynamic data masking is introduced in SQL

Server 2016 edition and Azure SQL Database,
and is configured by using basic Transact-
SQL commands.

This feature is to restrict the revelation of

sensitive data. It prevents the users by elimi-
nating the access to the data to view it. This is
a complementary security feature and need to
be used with other security features such as
audit, encryption or row level security.

Dynamic data masking (DDM) masks sensi-

tive data on fly while protecting sensitive
data to be viewed by non-privileged or

ISSN: 2231 – 2803 www.internationaljournalssrg.org Page 3

 SSRG International Journal of Computer Science and Engineering (SSRG-IJCSE) – Volume X Issue Y–Month 2018

• Custom String
[ChangedDate] [datetime] MASKED WITH (FUNC-
• Email TION = 'default()') NULL
)
Code Snippet to be used to Implement Dynamic
Data Masking using SQL Server T SQL (Edition
SQL 2016 and onwards) --3 Insert Records to the table.
Insert Into [dbo].[EmployeeContacts] values ('Sourav',
--1 Create the Database 'Mukherjee', '1234-3026-4508-4325',
USE [master] 10000,'smukherjee3818@ucumberlands.edu',
GO 'smukherjee3818@ucumberlands.edu','2018-12-30
CREATE DATABASE [DynamicDataMaskingDemo] 08:00:00')
CONTAINMENT = NONE
ON PRIMARY --4 Grant permission to the user to the table.
( NAME = N'DDM', FILENAME = N'C:\Program CREATE USER [ReadOnlyTestUser] WITHOUT
Files\Microsoft SQL Serv- LOGIN;
er\MSSQL14.MSSQLSERVER\MSSQL\DATA\DD GRANT SELECT ON [EmployeeContacts] TO
M.mdf' , SIZE = 8192KB , MAXSIZE = UNLIM- [ReadOnlyTestUser];
ITED, FILEGROWTH = 65536KB )
LOG ON
( NAME = N'DDM_log', FILENAME = --5 Check table records (with super user permis-
N'C:\Program Files\Microsoft SQL Serv- sion)
er\MSSQL14.MSSQLSERVER\MSSQL\DATA\DD select * from [DynamicDataMasking-
M_log.ldf' , SIZE = 8192KB , MAXSIZE = 2048GB , Demo].[dbo].[EmployeeContacts];
FILEGROWTH = 65536KB )
GO
--6 Check the record using the user permission.
--2 Create your table with proper functions Execute as USer = 'ReadOnlyTestUser';
Use [DynamicDataMaskingDemo] select * from [DynamicDataMasking-
GO Demo].[dbo].[EmployeeContacts];
CREATE TABLE [dbo].[EmployeeContacts] Revert
( --This section will apply the masking function.
[ID] [int] IDENTITY(1,1) NOT NULL Pri-
mary key, Observation:
[FName] [nvarchar](30) MASKED WITH • The data will be masked for the user ReadOn-
(FUNCTION = 'default()') NOT NULL, lyTestUser. Check out Fig #4 below about before
[LName] [nvarchar](30) NOT NULL, masking vs after masking results.
[CreditCard] [varchar](20) MASKED WITH
(FUNCTION = 'partial(2, "XX-XXXX-XXXX-XX", Conclusion:
2)') NULL, • This method allows developer to debug the Pro-
[SalaryUSD] [int] MASKED WITH duction environment without breaking the securi-
(FUNCTION = 'default()') NULL, ty or privacy for a user.
[OfficalEmail] [nvarchar](100) MASKED
WITH (FUNCTION = 'email()') NULL,
[PersonalEmail] [nvarchar](100) MASKED
WITH (FUNCTION = 'email()') NULL,

Fig 4: Results of Dynamic Data Masking from SQL

ISSN: 2231 – 2803 www.internationaljournalssrg.org Page 4

 SSRG International Journal of Computer Science and Engineering (SSRG-IJCSE) – Volume X Issue Y–Month 2018

Dynamic Data Masking also comes with its to encrypt data stored in all types of databases either it
own limitations: is structured or unstructured kind and at the file and
folder levels which does not require any underlying
A masking rule cannot be defined for the following changes to the databases or at the application level.
column types:
The Vormetric Transparent Encryption software has
• Columns with already defined encryption such as an agent which runs on servers or at the VM level to
Always Encrypted control access to files, folders and volumes. It finally
reports the activities to DSM. The DSM is a physical
• Associated with FILESTREAM or a virtual application which provides a Web-based
user interface which can manage the complete plat-
• It cannot be configured on a computed column. form. Agents can also apply the policies which are
However, if the computed column is dependent defined in the DSM to regulate the user actions, such
on a column with a MASK, then it will return the as limiting which user can access the encryption key
masked data. and for what purpose they can use it. The administra-
tors can use the DSM to monitor the databases and
• It can’t be a part of Full Text Index systems. They can also view current status, or they can
manage the encryption keys, or they can also govern
• It can’t be performed on a column with any de-
access privileges.
pendency. As a workaround, remove the depend-
ency first and then add DDM and finally recreate
Customers rely on Vormetric application encryption
the dependency. Let’s say if the dependency is on
for several key reasons. By encrypting data in the ap-
a column in an index, then drop the index first
plication server, it is secured while in transit and in
then apply the mask and finally recreate the de-
storage. Data is protected across its lifecycle including
pendent index.
when it is backed up, migrated and archived. The solu-
tion insures that administrators and others with system
The final topic of discussion here is on Vormetric
and infrastructure access can't access sensitive data
Transparent Encryption. Not sure how many of you
and application encryption can reduce the scope of
got a chance to work using Vormetric but it offers
PCI DSS compliance.
many cool features.
Very importantly if encrypted data is stolen attackers
• Vormetric is specialized for enterprise level en- won't have any means to decrypt the data, so it won't
cryption and for key management to protect da- be of any use or value even if a SQL injection attack is
tabases which are in physical, virtual and Cloud successful at extracting data from a compromised
Environments. This solution delivers compre- server only encrypted data will be returned to the
hensive capabilities that enable your organiza- hacker which won't be of any value and finally it pro-
tion to address a broad range of security objec- tects from insider threats. Even your administrators
tives. It also simplifies implementation and man- won't be able to see sensitive.
agement for metric enables organizations to se-
cure data across all their environments including II. CONCLUSIONS
physical virtual cloud and big data. The Data Se-
curity Platform contains encryption, the key Every IT and security group are under growing pres-
management, key vault and toolkit products sure as they continue to have more sensitive data to
which are all managed via the Vormetric Data protect, more threats to combat and more compliance
Security Manager also known as DSM. Vormet- mandates to address. One of the best ways to contend
ric's Transparent Encryption module is an agent with these
which runs at the file system level on a server
that encrypts data at rest. It is also used to access increasing security demands is to encrypt sensitive
control, and for collecting security logs. data. Recent research has revealed that how the adop-
tion of encryption has increased as has the number of
• It is often employed for compliance especially objectives it is being used to address the most com-
for protecting credit cards, medical records, per- mon reasons for employing encryption.
sonal information and intellectual property.
In addition, encryption is being used to safeguard an
Vormetric Product features organization's reputation.

Vormetric distinguishes itself from the competitors by Finally, security breaches have become a near certain-
providing transparent encryption, access controls that ty for most organizations now. Security managers
too at the granular levels and security intelligence. It started realizing that encryption can mitigate the dam-
also offers cloud platform support. It has the capability age that these attacks inflict to address. It is believed
that more than thirty five percent of organizations
ISSN: 2231 – 2803 www.internationaljournalssrg.org Page 5
 SSRG International Journal of Computer Science and Engineering (SSRG-IJCSE) – Volume X Issue Y–Month 2018

have instituted a consistent encryption strategy. How- Security, AI and Machine Learning. He is an MCT
ever, as the use of encryption has grown so has the (Microsoft Certified Trainer) since 2017 and holds
number of encryption solutions that have been sup- other premier certifications such as MCP, MCTS,
ported in fact more than seventy percent of organiza- MCDBA, MCITP, TOGAF, Prince2, Certified Scrum
tions are working with five or more encryption tech- Master and ITIL
nologies.

Companies historically have rolled out too many sin-

gle purpose encryption tools and products that can
only secure specific types of data systems or environ-
ments. As a result, to address their growing require-
ments, IT and security teams have had to procure,
monitor and manage a collection of disjointed tech-
nologies which is complex, inefficient and expensive.
Now organizations have a compelling alternative to
these piecemeal approaches.

Under the hood, carefully choosing the right encryp-

tion policy and strategy is most important in keeping
your organization safe and protecting the data and
information secured.

REFERENCES
[1] Microsoft TechNet blog post, Always Encrypted (Database
Engine) - SQL Server | Microsoft Docs
[https://social.technet.microsoft.com/wiki/contents/articles/37
979.working-with-the-always-encrypted-feature-in-sql-server-
2016.aspx]

[2] Microsoft MSDN Document Library article, Transparent

Data Encryption (TDE)
[https://docs.microsoft.com/en-us/sql/relational-
databases/security/encryption/transparent-data-
encryption?view=sql-server-2017]

[3] Mukherjee, S. (n.d.). How IT allows E-Participation in Policy-

Making Process (p. 12).
https://doi.org/10.6084/m9.figshare.7796063.v2

[4] Mukherjee, S. (n.d.). Benefits of AWS in Modern Cloud.

AUTHOR’S PROFILE
Sourav Mukherjee is a Senior Database Administrator
and Data Architect based out of Chicago. He has more
than 12 years of experience working with Microsoft
SQL Server Database Platform. His work focusses in
Microsoft SQL Server started with SQL Server 2000.
Being a consultant architect, he has worked with dif-
ferent Chicago based clients. He has helped many
companies in designing and maintaining their high
availability solutions, developing and designing ap-
propriate security models and providing query tuning
guidelines to improve the overall SQL Server health,
performance and simplifying the automation needs.
He is passionate about SQL Server Database and the
related community and contributing to articles in dif-
ferent SQL Server Public sites and Forums helping the
community members. He holds a bachelor's degree in
Computer Science & Engineering followed by a mas-
ter’s degree in Project Management. Currently pursu-
ing Ph.D. In Information Technology from the Uni-
versity of the Cumberlands. His areas of research in-
terest include RDBMS, distributed database, Cloud

ISSN: 2231 – 2803 www.internationaljournalssrg.org Page 6