Final week at Ignite, we introduced a serious SQL safety funding that enhances All the time Encrypted with safe enclave applied sciences to allow:
- Wealthy computations on encrypted columns, together with sample matching, vary comparisons, and sorting, which unlocks All the time Encrypted to a broad vary purposes and eventualities that require such computations to be carried out contained in the database system.
- In-place encryption – schema modifications that contain cryptographic operations on delicate information, for instance: preliminary information encryption, rotating a column encryption key, or altering a knowledge kind of an encrypted column, with out migrating the info outdoors of the database for all cryptographic operations.
Our efforts to boost the performance of All the time Encrypted are a part of the just lately introduced the Azure confidential computing initiative.
Launched in 2016, All the time Encrypted makes it doable to encrypt delicate information in use to make sure the confidentiality of the info is protected against malware the machines internet hosting the database could also be contaminated with, and from high-privilege, however unauthorized customers, together with machine admins, DBAs and directors of the cloud platform internet hosting the database. Nonetheless, within the at present usually out there variations of SQL Server (2016 and 2017) and Azure SQL Database, this unparalleled stage of safety comes at a worth that’s too excessive to some prospects: performance of queries on encrypted columns will get considerably lowered, as equality comparability is the one SQL operation doable on encrypted columns (and solely with deterministic encryption). Different challenges, we hear prospects typically wrestle with right now, stem from the truth that the SQL Server Engine can not (by design) carry out any cryptographic operations on delicate information and by no means has entry to the cryptographic keys. To encrypt present information or make any schema modifications involving re-encrypting or decrypting the info, prospects want to make use of instruments, equivalent to All the time Encrypted Wizard in SSMS or the Set-SqlColumnEncryption cmdlet in PowerShell, which load the info, encrypt, decrypt or re-encrypt it and add the info again to the database. This course of can take a very long time and is vulnerable to community errors.
To deal with the above challenges, we plan to leverage cutting-edge safe enclave applied sciences, equivalent to Intel Software program Guard Extensions (SGX). An enclave is a protected area of reminiscence that acts as a trusted execution atmosphere. An enclave seems as a black field to the containing course of and to different processes working on the machine. There isn’t any technique to view the info or the code contained in the enclave from the surface, even with a debugger. Within the case of SGX, this assure is hardware-based and offered by the processor. Enclaves additionally be certain that solely approved code is permitted to run inside an enclave and entry the info. If the code is altered or tampered with, the operations are denied, and the atmosphere disabled. The enclave enforces these protections all through the execution of code inside it.
The way in which the improved All the time Encrypted characteristic makes use of enclaves is illustrated on the beneath diagram. The SQL Server Engine course of incorporates an enclave, loaded with the code implementing cryptographic algorithms, utilized in All the time Encrypted (e.g. AES-256), in addition to the code implementing SQL operations, such LIKE predicates or vary comparisons (e.g. utilizing ‘<‘ or ‘>’). Earlier than submitting a question to the SQL Server Engine for processing, the SQL consumer driver inside the appliance sends the keys, which can be required for the operations within the question, to the enclave over a safe channel. When processing queries, the SQL Server Engine delegates wealthy computations and cryptographic operations on encrypted columns to the enclave, the place the info is safely decrypted and processed. Notice that delicate information stays encrypted throughout the SQL Server Engine, when outdoors of the enclave.
Whereas the brand new structure will allow us to help a broad vary of computations on encrypted columns contained in the SQL Server Engine, we initially goal essentially the most generally requested operations, equivalent to sample matching (LIKE), vary queries, sorting (ORDER BY), in addition to a broad set of knowledge kind conversions. The beneath instance reveals a question looking out worker information based mostly on the final 4 digits of a social safety quantity (assuming the SSN column is encrypted).
DECLARE @SSNPattern CHAR(11) = '%9838'
SELECT * FROM [dbo].[Employees] WHERE [SSN] LIKE @SSNPattern
GO
Enabling cryptographic operations regionally, eliminates the necessity to transfer the info out of the database for preliminary encryption or for different encryption-related schema modifications. This significantly improves efficiency and reliability of such operations and means the operations could be triggered by way of
ALTER TABLE ALTER COLUMN T-SQL statements and don’t require particular client-side instruments. Right here is an instance of an announcement that triggers a rotation of a column encryption key:
--Assuming SSN is a plaintext column, the beneath assertion encrypts information within the column.
ALTER TABLE [dbo].[Employees]
ALTER COLUMN [SSN] [char](11)
ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = [CEK1], ENCRYPTION_TYPE = Randomized, ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NOT NULL
GO
All the time Encrypted utilizing enclaves is at present in an early entry know-how preview. When you’ve got a workload that may profit from the brand new capabilities, please join the preview at https://aka.ms/SQLEnclavesPreview and assist affect the ultimate form of this know-how in future variations of the SQL platform services and products.
To study extra and see the demos of All the time Encrypted utilizing enclaves, you’ll be able to watch the beneath recordings of Ignite classes:
Nenhum comentário:
Postar um comentário