Share |
nav products support compliance partners resources about contact nav
 

News & Blog

Wednesday, February 01, 2012

NetLib Unveils Global Partner Program With Leaders in Information Security
PRNewswire

 
Monday, January 23, 2012

NetLib Joins Tech Data's StreamOne Solution Store!
ChannelInsider

 
Friday, January 20, 2012

Zappos Online Shoe Store Hit By Hackers. Can We Have an Honest Talk NOW - About Data Protection?

 
Archives...
 

NetLib Encryptionizer for SQL Server and SQL Express: FAQ

 

Overview Technical FAQ APIs

General

Whole Database Encryption

Column Encryption

 

General

 

What is "server-side" encryption?

This is encryption that takes place at the server machine as opposed to the client machine, as in Encryptionizer DE. With server-side encryption, the encryption drivers only need to reside on the server machine where the database process resides. Encryptionizer for SQL Server and for SQL Express is a server-side encryption tool.

top
 
 

What is the difference between Whole Database Encryption and Column Encryption?

Whole database encryption and column encryption are actually two completely different methods of providing data encryption. Each has its advantages and limitations. For more information, please follow this link: Differences between whole database and column encryption.

top
 
 

Why is whole database encryption faster than column encryption?

It seems counterintuitive. Why would performance when working with a wholly encrypted database be better than performance when working with just a few columns? That is because whole database encryption processing actually takes place between the SQL Server and file system layers. Since whole database encryption works at such a low level, it is very efficient. As a matter of fact, on a multi-processor machine, our clients have noted virtually no impact on performance when working with a wholly encrypted database. Since column encryption works within SQL Server itself, there is some performance impact, reported to be 5-6 percent slower accessing an encrypted column vs. a plaintext one. This performance impact is additive when accessing multiple encrypted columns at one time. As a general rule of thumb, because of the possible performance impact of column encryption, if more than 10 percent of the database needs to be encrypted, whole database encryption is recommended.

top
 
 

How is Encryptionizer different from other encryption tools?

Most encryption security tools are not designed to work with SQL Server or SQL Express. The few that do require a large amount of ongoing administration. Some are considerably more expensive. Generic encryption tools, such as those that encrypt an entire directory or drive, are usually suitable for small standalone systems and require the user to enter a key anytime the directory is accessed. Encryptionizer is designed for high-volume, multi-processor servers and does not require the user to enter or even know the key.

top
 
 

Can I use Encryptionizer to protect a database from the DBA?

In many cases, yes. Ask us how. This is often important to developers distributing an MSSQL Server or SQL Express-based application. They want to ensure that the end user can only access the database through the supplied application, not through Enterprise Manager or Query Analyzer. Just changing the SA password is not enough! The end user can easily foil this. For example, they can: copy the database to a fresh install of SQL Express or SQL Server; or restore the backup to a different instance of SQL Server; or even overwrite your Master database with one from a fresh install of SQL Server or SQL Express.

top
 
 

Who needs to know the encryption key(s).

Only the person who originally encrypts the database needs to know the key(s). This is usually the DBA or an administrator of some kind. Our "Split Knowledge Protocol" allows you to split a key among two or more people so that no single person knows the entire key. One optional feature allows you to ask Encryptionizer to generate a random key. If you are distributing a SQL Server or SQL Express-based application you can select a key when you build your application, or when your application is installed. Alternatively, you can let the customer choose the key(s).

top
 
 

Where are the data keys stored?

Data keys are stored with a variety of methods, and we are constantly adding new methods. The primary methods are:

  • Keys can be stored in a strongly encrypted file (called a profile) on the local drive.
  • Keys can be stored in a profile on a floppy disk, CD, or USB key. The authorized user must insert the floppy disk, CD, or USB key to start SQL Server. (The disk can be removed once the application starts).
  • Keys can be stored in a profile on a remote machine (refe rred to as a proxy location). If the proxy machine is not found, SQL Sever cannot be started.
  • Key(s) can be embedded into the application with an API call.
  • A designated person can enter the key manually when SQL Server is started. This is suitable only where an authorized “starter” will always be on hand.
top
 
 

What versions of SQL Server do you support?

See technical specs.

top
 
 

Does Encryptionizer work on clustered servers?

Yes! Encryptionizer for SQL Server works with clustered servers, both active/active and active/passive on Windows 2008, Windows 2003 and Windows 2000 servers. Encryptionizer must be installed independently on each server. The User Guide includes detailed instructions for installation on a cluster.

top
 
 

Can I split keys for added security?

Encryptionizer has a feature whereby two different people to are able to enter a portion of the key without allowing each to see the other portion.

top
 
 

What documentation is included?

All documentation is included in electronic form. A Getting Started Guide will give you a quick overview to getting Encryptionizer up and running quickly. A more detailed User Guide is provided with detailed explanations of all features available. Programmers using the APIs also have an electronic API reference, sample scripts and sample programs. Developers distributing Encryptionizer bundled with their applications receive instructions for constructing their installation scripts.

top
 
 

What encryption algorithms and key lengths do you use?

See technical specs.

top
 
 

Can I bundle Encryptionizer with my application?

Yes! With the distribution license you can include whole database encryption and/or column encryption in your SQL Server, SQL Express or MSDE application. Use it to protect your own intellectual property, or enable your users to protect the data they enter into your application. We include instructions on how to build the installation scripts. Even if you are distributing Encryptionizer throughout an enterprise, you can create your own customized installation routines.

top
 
 

Can I use Encryptionizer to become compliant with HIPAA, PCIDSS, etc?

While using Encryptionizer alone will not make you immediately compliant, Encryptionizer can be used as your compliance strategy. NetLib clients use Encryptionizer as part of the overall plan for HIPAA compliance, PCIDSS, FIPS 140-2

top
 
 

How is Encryptionizer different from EFS?

We believe that Encryptionizer offers several advantages over EFS. In fact, you will find Encryptionizer useful even if you already have EFS on your server volume. We have included a brief comparison of Encryptionizer and EFS. The three most important differences are that:

  • Encryptionizer supports a wider variety of operating systems and media.
  • Encryptionizer can be bundled and installed with an application.
  • Encryptionizer is an additional layer of security on top of Windows security. So, for example, you can protect files even from an Windows or Network Administrator.
top
 
   

How do I place an order?

We highly recommend that you request an evaluation version before deciding to purchase Encryptionizer. This fully functional evaluation version will allow you to see how quickly Encryptionizer can be deployed as well as ensure that Encryptionizer satisfies your needs. Click here to request an evaluation version.

If you would simply like more information or would like to order Encryptionizer, please visit our Contact Us form.

top
 
 

Whole Database Encryption

 

How do I deploy whole database encryption?

You start by using an included utility to encrypt a SQL Server database with a high level Encryption algorithm such as AES or Triple DES (3DES). Next, you use another utility to secure your installation of MSSQL or SQL Express with the Encryptionizer engine. This allows your installation, and no other, to access your encrypted databases. Encryptionizer decrypts data on-the-fly completely transparently so that SQL Server "thinks" it is using a "normal" database. There is no need to change any applications. What's more, data is never decrypted on the disk, only in the server's RAM for use by SQL.

View a demonstration of NetLib Encryptionizer Whole Database Encryption, where we secure the Northwind Database.

top
 
 

How does whole database Encryption work?

Whole Database Encryption encrypts an entire database file. This encrypted database cannot be accessed unless the SQL server is then secured with the same key. This prevents anyone from being able to steal the database file and view or attach it elsewhere. And it does this simply, with low maintenance and little or no impact on performance.

Take a look at How It Works for more detail.

top
 
 

How does whole database encryption protect backups?

Databases on backup media are as much at risk, if not even more so, than databases on the server. Of course you use a backup password, but anyone that needs to perform a backup or a restore needs to know the password. In fact, it is probably taped to the backup console! Encryptionizer can automatically encrypt a backup to hard disk, or even directly to tape, as it is being created. This allows an additional layer of encryption, for which the backup operator does not need to know the key. What's more, if someone takes the backup media and tries to restore your database to a different installation of SQL Server, it will appear as an unreadable backup.

top
 
 

Column Encryption

 

How do I deploy column encryption?

Encryptionizer for SQL Server or for SQL Express allows you to achieve column encryption is several ways. The simplest is through the use of our point-and-click user interface call the Column Encryption Manager (Col-E manager, for short). Your first step is to create the server key. This allows you to choose a strong alagorithm such as AES or 3DES and a strong passphrase. Once the server key is set, you can use the Col-E Manager to select the column(s) to encrypt.

View a demonstration of Encryptionizer Column Encryption using the Col-E Manager.

You can also choose to encrypt columns using the included API's. You can use the API's to perform encryption/decrypt activities directly within your application.

top
 
 

How does column encryption work?

If using the Col-E Manager, when you select the column(s) to be encrypted, the Col-E manager will encrypt the column data on disk, and then create views that control access to the encrypted data. INSTEAD OF triggers are also created to ensure that data is written as encrypted back to the database. You will use the Manage Permissions function to determine which users will have read access to the encrypted data and which will not. The Col-E Manager has a "transparent encryption" feature that will allow for encryption to be transparent to existing applications in most cases.

If using the APIs directly, user defined functions, stored procedures, and extended stored procedures are all available for incorporation into your application.

top
 
 

Is the encrypted data protected in backups?

Column data that is encrypted is backed-up as any other column data would be when SQL databases are backed-up. If you need to restore encrypted data to another machine, that machine must be configured with Encryptionizer with the same key profile settings.

top
 
 

How does Col-E protect against frequently repeating values?

When encrypting data in columns, if a column contains the same value repetitively, that same value will typically be encrypted to the same encrypted value. While someone may not be able to discern what that encrypted value is, they will be able to determine all the records that have that same value. For columns that contain such repeating values, such as salaries ("Who makes the same as me?"), PIN's ("Who has the same PIN? I just have to figure out one and I know the rest"), etc. that can be a risk. Col-E has a feature to protect against this risk called Repeating Values Protection (RVP). RVP ensures that each value in a column encrypts to a different encrypted value, thus obscuring the identical values.

 
NetLib is a subsidiary of Communication Horizons © 2011 Communication Horizons LLC.