Saturday 18 November 2017

Always Encrypted In SQL Server 2016

Overview Always Encrypted

It a new security feature that ensures sensitive data is encrypted in database and remain all time.
Means Encrypted Data at rest.


Clear separation between who own the data and who manage the data.

Even DBAs, System admins and cloud admins can’t access data.

How its work?

  • Client driver encrypt data.
  • Required master key digital certificate on both db and application which contain private key.
  • Digital certificate could be store into
    • Local key store - default windows certificate store.
    • HSM - Hardware security module third parties solution to manage dsc in network, like safenet.
    • Azure vault - Microsoft’s cloud-based solution for certificate management
  • Required Column Key

What is Master key and Column key?

Column key protect the data and master key protect the column encryption key.


For simple configuration watch a Youtube Video.

C# code to Access Data

using System;
using System.Collections.Generic;
using System.Data;
using System.Data.SqlClient;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using static System.Console;

namespace ReadWriteAlwaysEncrypted
    class Program
        static string connectionString = "Data Source=.; Initial Catalog=DB2016; Integrated Security=true; Column Encryption Setting=enabled";

        static void Main(string[] args)

            //InsertData("Raja babu", "M", "12345678912347" , "89000", "", "8800280088");

        static void InsertData(string name, string gender, string creditCard, string salary, string email, string phone)

            using (SqlConnection connection = new SqlConnection(connectionString))
                using (SqlCommand cmd = connection.CreateCommand())
                    cmd.CommandText = @"INSERT INTO dbo.PersonalInformation (Name, Gender,CreditCard, Salary, Email, Phone)VALUES( @Name, @Gender, @CreditCard, @Salary, @Email, @Phone);";

                    SqlParameter paramSSN = cmd.CreateParameter();
                    paramSSN.ParameterName = @"@Name";
                    paramSSN.DbType = DbType.String;
                    paramSSN.Direction = ParameterDirection.Input;
                    paramSSN.Value = name;

                    SqlParameter paramGender = cmd.CreateParameter();
                    paramGender.ParameterName = @"@Gender";
                    paramGender.DbType = DbType.String;
                    paramGender.Direction = ParameterDirection.Input;
                    paramGender.Value = gender;

                    SqlParameter paramCreditCard = cmd.CreateParameter();
                    paramCreditCard.ParameterName = @"@CreditCard";
                    paramCreditCard.DbType = DbType.AnsiStringFixedLength;
                    paramCreditCard.Direction = ParameterDirection.Input;
                    paramCreditCard.Value = creditCard;

                    SqlParameter paramSalary = cmd.CreateParameter();
                    paramSalary.ParameterName = @"@Salary";
                    paramSalary.SqlDbType = SqlDbType.Int;
                    paramSalary.Direction = ParameterDirection.Input;
                    paramSalary.Value = salary;

                    SqlParameter paramEmail = cmd.CreateParameter();
                    paramEmail.ParameterName = @"@Email";
                    paramEmail.DbType = DbType.String;
                    paramEmail.Direction = ParameterDirection.Input;
                    paramEmail.Value = email;

                    SqlParameter paramPhone = cmd.CreateParameter();
                    paramPhone.ParameterName = @"@Phone";
                    paramPhone.DbType = DbType.String;
                    paramPhone.Direction = ParameterDirection.Input;
                    paramPhone.Value =phone;


                    WriteLine("Record Inserted.");

        static void ReadData(int id)
            using (SqlConnection connection = new SqlConnection(connectionString))
                using (SqlCommand cmd = connection.CreateCommand())
                    cmd.CommandText = @"SELECT * FROM [dbo].[PersonalInformation] WHERE id=@id";
                    SqlParameter paramID = cmd.CreateParameter();
                    paramID.ParameterName = @"@id";
                    paramID.DbType = DbType.Int32;
                    paramID.Direction = ParameterDirection.Input;
                    paramID.Value = id;

                    using (SqlDataReader reader = cmd.ExecuteReader())
                        if (reader.HasRows)
                            while (reader.Read())
                                WriteLine($"{reader[0]}, {reader[1]}, {reader[2]}, {reader[3]}, {reader[4]}, {reader[5]}");