THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

Denis Gobo

How Is Your Sensitive Data Encrypted In The Database?

Do you store encrypted data? If you do then how is it encrypted? Do you use the built in capabilities of SQL Server 2005/2008. If you answered yes to the last question then here is another question. What would happen if someone stole the hard drive or even the whole database server? Could they decrypt that data easily with the stored procedures which you have written? Do these store procedures use the DecryptByPassphrase function?

 

So you probably think that I am crazy and no one would ever steal a database server. Wrong! C I Host a Chicago-based co-location got robbed 4 times since 2005. One company lost 20 servers in the latest heist. You can read more details about that here: http://www.theregister.co.uk/2007/11/02/chicaco_datacenter_breaches/

 

Without going into too much detail, this is what we are doing. Our data is encrypted by a corporate crypto tool which can only be accessed from within the DMZ. Keys are created for specific machines; these keys can easily be revoked at any time. Even if you would somehow steal our web and database server you would still be out of luck because of that. The data is encrypted by the tool and stored encrypted in the DB.

 

Identity theft will cost you in the future.

The Identity Theft Enforcement and Restitution Act of 2007 has been introduced and was scheduled for debate on November 1st; the Senate and the House still have to vote on it. This is a bill to amend title 18, United States Code, to enable increased federal prosecution of identity theft crimes and to allow for restitution to victims of identity theft.

 

Follow the developments here:

S. 2168: Identity Theft Enforcement and Restitution Act of 2007

Published Tuesday, November 13, 2007 11:28 AM by Denis Gobo
Filed under: ,

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Leonid Shirmanov said:

Hi,

that's really great that you mentioned the problem of stealing the entire server box. Especially today when some companies start coming up with SaaS ideology as a trend for hosting companies. I've realized that my data not even being a target of a robbery can be stolen just because it's in the same databases with the others.

Could you please go in some more detail of how your data encryption is implemented with your corporate crypto tool? Is this just a distributed transaction to the crypto tool passing plain data and receiving encrypted before putting into tables? Can this work as encrypting by the linked sql server?

Thanks!

November 14, 2007 6:55 PM
 

Denis Gobo said:

Leonid,

>>Is this just a distributed transaction to the crypto tool passing plain data and receiving encrypted before putting into tables? Can this work as encrypting by the linked sql server?

SQL can not access the crypto tool and vice versa, there are 2 firewalls and a DMZ between them. There are application servers talking to the crypto server and to SQL, these servers take data from sql, decrypt it and pass it to the web servers(all https of course)

The crypto tool is written internally, I am calling it a crypto tool because I don't know what else to call it. There is no ad-hoc/inline SQL involved either; it is all done with stored procedures

November 15, 2007 8:02 AM
 

Denis Gobo said:

Remember the How Is Your Sensitive Data Encrypted In The Database? post I wrote a while back? A colleague

January 4, 2008 12:38 PM
 

John Samuel Dockghin said:

I found this software to decrypt stored procedures, views and functions in sql and works fine.

http://www.download.com/SQL-DeCryptor/3000-2065_4-10742925.html?tag=rtcol;reldl&cdlPid=10857235

November 22, 2008 4:03 PM

Leave a Comment

(required) 
(required) 
Submit

About Denis Gobo

I was born in Croatia in 1970, when I was one I moved to Amsterdam (and yes Ajax is THE team in Holland) and finally in 1993 I came to the US. I have lived in New York City for a bunch of years and currently live in Princeton, New Jersey with my wife and 3 kids. I work for Dow Jones as a Database architect in the indexes department, one drawback: since our data goes back all the way to May 1896 I cannot use smalldates ;-( I have been working with SQL server since version 6.5 and compared to all the other bloggers here I am a n00b. Some of you might know me from http://sqlservercode.blogspot.com/ or even from some of the newsgroups where I go by the name Denis the SQL Menace If you are a Tek-Tips user then you might know me by the name SQLDenis, I am one of the guys answering SQL Questions in the SQL Programming forum.

This Blog

Syndication

Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement