SQL Always Encrypted - I don't get it

Question

SQL Always Encrypted - I don't get it

rann

SSC Rookie

Points: 38
More actions
January 27, 2022 at 7:10 pm

#3978032

HI,
I really tried to understand this, but its seems beyond me.
In many documentation it keep stating that everything is done on the client sideL
I saw a DBA on youtube stating - I own the keys as a client, what can be more secure than this ?! only I can encrypt / decrypt the data.
I read an article here stating that since everything is done client side, it can protect a man in the middle attacks.
I keep seeing a promise on the client side implantation of it... Just that real end clients, at list in my scenario, never have direct access to the DB, it always goes via an APP server, that reside next to the DB, I give the app server the certificate... well this is not really client side, no man in the middle protection, not a user really owning the key.
My clients are web apps, and native mobile apps, goes via an APP server that talk to the DB...
Would appreciate if you can let me know what do I miss...

Thanks,
Ran

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply

Eddie Wuerch SSChampion Points: 12532 More actions · Answer 1

"My clients are web apps, and native mobile apps, goes via an APP server that talk to the DB"

You seem to understand it. The key point is that the value stays encrypted until you decrypt it. The protections exist until you decrypt it.

When you decrypt the value and display it on a web page, you're removing the protection by rendering it unencrypted by the app server. Any further protection of that decrypted value is then on you to provide (SSL, etc.).

If you want Always Encrypted to protect the data all the way to the client's device, then you have to put the app that can decrypt the data on that device.

Eddie Wuerch
MCM: SQL

rann SSC Rookie Points: 38 More actions · Answer 2

"If you want Always Encrypted to protect the data all the way to the client's device, then you have to put the app that can decrypt the data on that device."

Putting such app on the device is a good idea , just that always encrypted feel unsuitable for that... it requires that the app talk directly with the DB.

The DB today is already with TDE and encrypted during Transit, so I wonder what will this layer add to us, when the app server, a box next to our DB is holding the CMK Certificate....