 |
 |
|||||||||||||||
|
|||||||||||||||
 |
 |
 |
 |
| Home >> Encryptionizer >> NetLib Encryptionizer for SQL Server and MSDE: FAQ |
Encryption for SQL Server and MSDE: FAQ
General
What is "server-side" encryption? This is encryption that takes place at the server machine as opposed to the client machine, as in Encryptionizer DE. With server-side encryption, the encryption drivers only need to reside on the server machine where the database process resides. Encryptionizer for SQL Server and for MSDE is a server-side encryption tool. What is the difference between Whole Database Encryption and Column Encryption?Whole database encryption and column encryption are actually two completely different methods of providing data encryption. Each has its advantages and limitations. For more information, please follow this link: Differences between whole database and column encryption. Why is whole database encryption faster than column encryption?It seems counterintuitive. Why would performance when working with a wholly encrypted database be better than performance when working with just a few columns? That is because whole database encryption processing actually takes place between the SQL Server and file system layers. Since whole database encryption works at such a low level, it is very efficient. As a matter of fact, on a multi-processor machine, our clients have noted virtually no impact on performance when working with a wholly encrypted database. Since column encryption works within SQL Server itself, there is some performance impact, reported to be 5-6 percent slower accessing an encrypted column vs. a plaintext one. This performance impact is additive when accessing multiple encrypted columns at one time. As a general rule of thumb, because of the possible performance impact of column encryption, if more than 10 percent of the database needs to be encrypted, whole database encryption is recommended. How is Encryptionizer different from other encryption tools?Most encryption security tools are not designed to work with SQLServer or MSDE. The few that do require a large amount of ongoing administration. Some are considerably more expensive. Generic encryption tools, such as those that encrypt an entire directory or drive, are usually suitable for small standalone systems and require the user to enter a key anytime the directory is accessed. Encryptionizer is designed for high-volume, multi-processor servers and does not require the user to enter or even know the key. Can I use Encryptionizer to protect a database from the DBA?In many cases, yes Ask us how. This is often important to developers distributing an MSSQL- or MSDE-based application. They want to ensure that the end user can only access the database through the supplied application, not through Enterprise Manager or Query Analyzer. Just changing the SA password is not enough! The end user can easily foil this. For example, they can: copy the database to a fresh install of MSDE or SQL Server; or restore the backup to a different instance of SQL Server; or even overwrite your Master database with one from a fresh install of SQL Server or MSDE. Who needs to know the encryption key(s).Only the person who originally encrypts the database needs to know the key(s). This is usually the DBA or an administrator of some kind. Our "Secret Sharing Protocol" allows you to split a key among two or more people so that no single person knows the entire key. One optional feature allows you to ask Encryptionizer to generate a random key. If you are distributing a SQL Server or MSDE-based application you can select a key when you build your application, or when your application is installed. Alternatively, you can let the customer choose the key(s). Where are the data keys stored?Data keys are stored with a variety of methods, and we are constantly adding new methods. The primary methods are:
See technical specs. Does Encryptionizer work on clustered servers?Yes! Encryptionizer for SQL Server works with clustered servers, both active/active and active/passive on Windows 2003, Windows 2000 and Windows NT servers. Encryptionizer must be installed independently on each server. The User Guide includes detailed instructions for installation on a cluster. Encryptionizer for MSDE does not support clusters. Can I split keys for added security?Encryptionizer has a feature whereby two different people to are able to enter a portion of the key without allowing each to see the other portion. What documentation is included?All documentation is included in electronic form. A Getting Started Guide will give you a quick overview to getting Encryptionizer up and running quickly. A more detailed User Guide is provided with detailed explanations of all features available. Programmers using the APIs also have an electronic API reference, sample scripts and sample programs. Developers distributing Encryptionizer with their applications receive instructions for constructing their installation scripts. What encryption algorithms and key lengths do you use?See technical specs. Can I bundle Encryptionizer with my application?Yes! With the distribution license you can include whole database encryption and/or column encryption in you SQL Server or MSDE application. Use it to protect your own intellectual property, or enable your users to protect the data they enter into your application. We include instructions on how to build the installation scripts. Even if you are distributing Encryptionizer throughout an enterprise, you can create your own customized installation routines. Can I use Encryptionizer to become compliant with HIPAA, CISP, GLBA, etc?If you are a credit card merchant looking to come into compliance with CISP (Visa), you can use Encryptionizer to quickly and easily come into compliance with VISA CISP requirement #3 (Encrypt credit card numbers on disk). CISP stands for "Creditcard Information Security Program," a series of security requirements specified by VISA for their merchants. While this document specifically addresses CISP, it is relevant if you are trying to come into compliance with many other current and coming guidelines such as HIPAA, GLBA, and SDP. How is Encryptionizer different from EFS?We believe that Encryptionizer offers several advantages over EFS. In fact, you will find Encryptionizer useful even if you already have EFS on your server volume. We have included a brief comparison of Encryptionizer and EFS. The three most important differences are that:
The price of NetLib Encryptionizer for SQL Server depends on the SQL Server product you are running (SQL Standard, SQL Enterprise, SQL MSDE) and whether you are looking for whole database encryption or column level encryption. For the Encryptionizer for SQL product, pricing will also be determined by the number of processors in the server. Pricing for Encryptionizer can be found in the following PDF link: Encryptionizer Pricing Please contact us for additional pricing information if you have multiple SQL servers, a larger number of workstations on which you want to install Encryptionizer for MSDE, or you are a developer who wishes to protect data in your distributed application (or your application itself) using Encryptionizer. How do I place an order?We highly recommend that you request an evaluation version before deciding to purchase Encryptionizer. This fully functional evaluation version will allow you to see how quickly Encryptionizer can be deployed as well as ensure that Encryptionizer satisfies your needs. Click here to request an evaluation version. If you would simply like more information or would like to order Encryptionizer, please visit our "Contact Us" form. How do I deploy whole database encryption? You start by using an included utility to encrypt a SQLServer database with a high level Encryption algorithm such as Triple DES. Next, you use another utility to
secure your installation of MSSQL or MSDE with the Encryptionizer
engine. This allows your installation, and no other, to access
your encrypted databases. Encryptionizer decrypts data on-the-fly completely transparently so that SQLServer "thinks" it is using a "normal" database. There is
no need to change any applications. What's more, data is never decrypted on
the disk, only in the server's RAM. Whole Database Encryption encrypts an entire database file. This encrypted database cannot be accessed unless the SQL server is then secured with the same key. This prevents anyone from being able to steal the database file and view or attach it elsewhere. And it does this simply, with low maintenance and little or no impact on performance. Take a look at How It Works for more detail. How does whole database encryption protect backups?Databases on backup media are as much at risk, if not even more so, than databases on the server. Of course you use a backup password, but anyone that needs to perform a backup or a restore needs to know the password. In fact, it is probably taped to the backup console! Encryptionizer can automatically encrypt a backup to hard disk, or even directly to tape, as it is being created. This allows an additional layer of encryption, which the backup operator does not need to know the key for. What's more, if someone takes the backup media and tries to restore your database to a different installation of SQL Server, it will appear as an unreadable backup. How do I deploy column encryption? Encryptionizer for SQL Server or for MSDE allows you to achieve column encryption is several ways.
The simplest is through the use of our point-and-click user interface call the Column Encryption
Manager (Col-E manager, for short). Your first step is to create the server key. This allows you
to choose a strong alagorithm such as AES or 3DES and a strong passphrase. Once the server key is set,
you can use the Col-E Manager to select the column(s) to encrypt. You can also choose to encrypt columns using the included API's. You can use the API's to perform encryption/decrypt activities directly within your application. How does column encryption work?If using the Col-E Manager, when you select the column(s) to be encrypted, the Col-E manager will encrypt the column data on disk, and then create views that control access to the encrypted data. INSTEAD OF triggers are also created to ensure that data is written as encrypted back to the database. You will use the Manage Permissions function to determine which users will have read access to the encrypted data and which will not. The Col-E Manager has a "transparent encryption" feature that will allow for encryption to be transparent to existing applications in most cases. If using the APIs directly, user defined functions, stored procedures, and extended stored procedures are all available for incorporation into your application. Is the encrypted data protected in backups?Column data that is encrypted is backed-up as any other column data would be when SQL databases are backed-up. If you need to restore encrypted data to another machine, that machine must be configured with Encryptionizer with the same key profile settings. How does Col-E protect against frequently repeating values?When encrypting data in columns, if a column contains the same value repetitively, that same value will typically be encrypted to the same encrypted value. While someone may not be able to discern what that encrypted value is, they will be able to determine all the records that have that same value. For columns that contain such repeating values, such as salaries ("Who makes the same as me?"), PIN's ("Who has the same PIN? I just have to figure out one and I know the rest"), etc. that can be a risk. Col-E has a feature to protect against this risk called Repeating Values Protection (RVP). RVP ensures that each value in a column encrypts to a different encrypted value, thus obscuring the identical values.
|
NetLib is a subsidary of Communication Horizons © 2008 Communication Horizons LLC. |