question

gotqn avatar image
gotqn asked

Alternative of Azure Key Vault for Always Encrypted

I am researching a new encryption option introduce in `SQL Server 2016 CP1`, called always-encrypted. Basically, I need to create a certificate which is stored outside the database and is used to protect the certificates (stored in the database) which are used for encrypting data. If one need to de-crpyte the data, he needs rights to the privet key of the certificate used for protecting the certificates used fro data encryption. There are [two ways][1] of storing the certificates - Local Key Stores and Centralized Key Stores. The centralized is: > serveing applications on multiple computers. An example of a centralized > key store is Azure Key Vault. A centralized key store usually makes > key management easier because you don't need to maintain multiple > copies of your column master keys on multiple machines. You need to > ensure that your applications are configured to connect to the > centralized key store. I have testing the always encrypted feature saving the certificates in the local computer windows certification store: ![enter image description here][2] Can I create the certificates in separated machine (domain controller or something), set the access to private keys there and distribute the certificates to other machines? [1]: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted#Anchor_1 [2]: https://i.stack.imgur.com/jH9Qp.png
tsqlsql-server-2016always-ecnryptedencrypted
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

0 Answers

·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.