I've configured Always Encrypted for my SQL installation, that is I've got a CMK pointing towards a Windows Keystore key, which in turn is used to decrypt the CEK.
Now I'm trying to think of some nice backup solutions for the CMK.
Currently I have the exact same RSA key configured in Azure, I've confirmed both keys to work (Windows Keystore key and Azure) by encrypting with the first and decrypting with the latter.
But the problem I'm having is, in case I lose the windows keystore key, I lose the ability to decrypt Always Encrypted keys.
The Azure key doesn't "expose" the key, meaning I can encrypt and decrypt with the key, but I can't export it.
When configuring key rotation in SQL you need the "original key".
I've tried to simply make a new CMK in SQL which points to the Azure environment by using "ALTER COLUMN ENCRYPTION KEY", but I get an error when I try to access the data.
My guess is that the CEK contains some metadata linking it to the key that is Windows based.
My question then is, is there a way to manually decrypt the column encryption key using a valid RSA key?
My question then is, is there a way to manually decrypt the column encryption key using a valid RSA key?
Yes, you can manually decrypt the column encryption key and master key using Always Encrypted with secure enclaves, but these features are only allowed in DC-series hardware configuration along with Microsoft Azure Attestation which are available only in few Locations. So, you need to select a location (an Azure region) that supports both the DC-series hardware and Microsoft Azure Attestation.
Note: DC-series is available in the following regions: Canada Central, Canada East, East US, North Europe, UK South, West Europe, West US.
Choose DC-series while deploying the SQL Database by following the steps below.
Make sure to SQL Server is deployed in DC-series supported location. Click on configure database.
Select hardware configuration
Select DC-series, click on OK, Apply and deploy the database.
Now create attestation provider using Azure Portal. Search for attestation in search bar and select Microsoft Azure Attestation.
On the Overview tab for the attestation provider, copy the value of the Attest URI property to clipboard and save it in a file. This is the attestation URL, you will need in later steps.
Select Policy on the resource menu on the left side of the window or on the lower pane.
Set Attestation Type to SGX-IntelSDK.
Select Configure on the upper menu.
Set Policy Format to Text. Leave Policy options set to Enter policy.
In the Policy text field, replace the default policy with the below policy.
[ type=="x-ms-sgx-is-debuggable", value==false ]
&& [ type=="x-ms-sgx-product-id", value==4639 ]
&& [ type=="x-ms-sgx-svn", value>= 0 ]
&& [ type=="x-ms-sgx-mrsigner", value=="e31c9e505f37a58de09335075fc8591254313eb20bb1a27e5443cc450b6e33e5"]
=> permit(); }; ```
Configure your database in SSMS. Click on Options and give attestation URL which you have copied in step 5.
Using the SSMS instance from the previous step, in Object Explorer, expand your database and navigate to Security > Always Encrypted Keys.
Provision a new enclave-enabled column master key:
Right-click Always Encrypted Keys and select New Column Master Key....
Select your column master key name: CMK1.Make sure you select either Windows Certificate Store (Current User or Local Machine) or Azure Key Vault.
Select Allow enclave computations.
Now simply encrypt your column. See below example to encrypt.
ALTER TABLE [HR].[Employees]
ALTER COLUMN [SSN] [char] (11) COLLATE Latin1_General_BIN2
ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = [CEK1], ENCRYPTION_TYPE = Randomized, ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NOT NULL
WITH
(ONLINE = ON);
ALTER TABLE [HR].[Employees]
ALTER COLUMN [Salary] [money]
ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = [CEK1], ENCRYPTION_TYPE = Randomized, ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NOT NULL
WITH
(ONLINE = ON);
ALTER DATABASE SCOPED CONFIGURATION CLEAR PROCEDURE_CACHE;
Verify the encrypted data.
To decrypt using customer encrypt key, see below example.
ALTER TABLE [HR].[Employees]
ALTER COLUMN [SSN] [char](11) COLLATE Latin1_General_BIN2
WITH (ONLINE = ON);
GO
Related
Is it possible to create a data base scoped credential in synapse for Azure Blob Storage in SYnapse?
Tried this scenario :
WITH IDENTITY = 'SHARED ACCESS SIGNATURE', SECRET = '<your SAS secret without the preleading ?>'; CLOSE MASTER KEY; -- only necessary if you need to close the master key context. (it will close with the session/query close)
But it is failing
SAS Database scoped credential for Azure Storage account is supported only in Azure SQL database and not in Synapse.
You need to use Storage account keys only in synapse.
In synapse you would get the below error:
Secret provided can not contain more than 120 characters. Please provide a valid credential.
I deleted a key vault that was used in a storage account.
Now if I try to change anything in the Encryption section of the storage (like change the encryption type or using a new key), I am getting:
The operation failed because the specified key vault key 'https://dev-certs2.vault.azure.net/keys/<my-previous-key/xxxxxxxxxxxxxxxx' was not found
Is there a way to change it without having to create a new storage account?
By default, the Soft delete will be enabled when you create the keyvault, the default retention period is 90 days, if your keyvault was deleted within 90 days, then you can follow the steps below, if it exceeds 90 days, there seems to be no way to do that without creating a new storage account.(not 100% sure, you may need to contact the azure support)
1.Use powershell to check if the keyvault was in Removed state, if there is no output, it means that exceeds 90 days.
Get-AzKeyVault -VaultName joyk -Location <the same location with the storage> -InRemovedState
2.Use powrershell to recover the previously deleted keyvault.
Undo-AzKeyVaultRemoval -VaultName joyk -ResourceGroupName <group-name> -Location <the same location with the storage>
3.Navigate to the storage account in the portal -> Encryption , you will be able to change the Encryption type or use a new key. After configuring, then you can delete the keyvault again.
When I was trying to install Next Cloud on a web host server. I get this error message when finally creating the admin account and configuring the database information.
Error while trying to create admin user: An exception occurred while
executing 'CREATE TABLE oc_migrations (app VARCHAR(255) NOT NULL,
version VARCHAR(255) NOT NULL, PRIMARY KEY(app, version)) DEFAULT
CHARACTER SET UTF8 COLLATE utf8_bin ENGINE = InnoDB': SQLSTATE[42000]:
Syntax error or access violation: 1071 Specified key was too long; max
key length is 1000 bytes
Maybe there is a way to fix this problem. I am using InfinityFree.net as web host to test next cloud.
Thank you
From Nextcloud's installation manual:
The following is currently required if you’re running Nextcloud together with a MySQL / MariaDB database:
InnoDB storage engine (MyISAM is not supported)
From InfinityFree's knowledge base:
It’s not possible to create InnoDB tables. The InnoDB storage engine for MySQL is not supported on InfinityFree. Only the MyISAM storage engine can be used.
If your script requires the InnoDB storage engine, you need to upgrade your account.
If you do decide to get a premium account, then you'll also need to make sure that innodb_large_prefix is enabled in their my.cnf file.
Session["User"] = "LTA";
I used this session in my application.
I am unable to view this stored session values in .net application.
I tried in below way:
ConnectionMultiplexer redisConnection = ConnectionMultiplexer.Connect("hostname,ssl=true,password=privatekey,allowAdmin=true");
var redisServer = redisConnection.GetServer("hostname", port);
Here I can able to get key list and client list by using below code:
redisServer.Keys()
redisServer.ClientList()
but key values are shows like
\skdkhciduhcahoaids_Data
\skdkhciduhcahoaids_Internal
Is this encrypted key values? (This is my first query)
Then,
This result doesn't change if I open the application in multiple browsers. But actually I want need 4 results if I open the application in 2 browsers because 2 session has been handled when the application run in 2 browsers.
Why it gives same result?
Can I able to view stored session values in redis connection? if yes means How can I view the session values?
Thanks in advance.....
I Got a solution for first and second question:
Is this encrypted key values?
ASP.Net session id has been stored as a key of REDIS cache.
REDIS's Key of Stored session value
Why it gives same result?
When I login with same user it's shows same result. But If I login with different user it's shows different result for every login.
I've a SQL server 2014 running on one of our server. We're in the process of implementing security steps for our databases. I've encrypted a column in one of the table in the database on the server. The issue is when I restore the backup on my local SQL server and run a query to decrypt the column data it gives me null values. On the other end when I decrypt the column data on the main server it works fine. I found a thread on this forum which states to do the following when restoring the encrypted database on different server.
USE [master];
GO
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'StrongPassword';
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY;
GO
select File_Name
, CONVERT(nvarchar,DECRYPTBYKEY(File_Name))
from [test].[dbo].[Orders_Customer]
I tried doing above still no luck.
Can anybody point me in the right direction? Any help is greatly appreciated.
Thanks
You've opened the Master key (in your example) in the Master DB
Change the first line to use
Use Test;
The Open Master Key statement works in the context of the Current Database. You opened it whilst in Master, but then selected that data from the Test DB.