Microsoft SQL Server 2016 Always Encrypted · Page 6 of 52 Microsoft SQL Server 2016 Always...

Microsoft SQL Server 2016 AlwaysEncryptedIntegration Guide

Version: 0.3

Date: Friday, December 20, 2019

Copyright 2019 nCipher Security Limited. All rights reserved.

Copyright in this document is the property of nCipher Security Limited. It is not to be reproduced,modified, adapted, published, translated in any material form (including storage in any medium byelectronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any thirdparty without the prior written permission of nCipher Security Limited neither shall it be used otherwisethan for the purpose for which it is supplied.

Words and logos marked with ® or ™ are trademarks of nCipher Security Limited or its affiliates in the EUand other countries.

Mac and OS X are trademarks of Apple Inc., registered in the U.S. and other countries.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

Information in this document is subject to change without notice.

nCipher Security Limited makes no warranty of any kind with regard to this information, including, but notlimited to, the implied warranties of merchantability and fitness for a particular purpose. nCipher SecurityLimited shall not be liable for errors contained herein or for incidental or consequential damagesconcerned with the furnishing, performance or use of this material.

Where translations have been made in this document English is the canonical language.

of 52 Microsoft SQL Server 2016 Always Encrypted - Integration Guide

Contents

1 Introduction 5

1.1 Always Encrypted Integration using Operator Cards and/or Module protection 6

1.2 Requirements 6

1.3 Using multiple on-premises client servers 7

1.4 Database Permissions 7

1.5 Security World options when using Always Encrypted 8

1.5.1 Contacting nCipher support 9

2 Installation and configuration 10

2.1 Configuring nShield Hardware Security Modules for use with Always Encrypted 10

2.2 Install and register the CNG provider 10

3 Always Encrypted Using SMSS 19

3.1 Creating the Always Encrypted Column Master Key using the nCipher KSP 19

3.2 Enable Always Ecrypted 25

3.3 Removing column encryption 31

4 Always Encrypted using PowerShell: without Role Separation 35

4.1 Install and Configure SqlServer PowerShell module 35

4.2 Install the nCipher CNG provider 36

4.3 Creating the Always Encrypted Column Master Key using the nCipher KS 36

4.4 Creating the Column Encryption Key 37

4.5 Encrypting Columns with the Column Encryption Key 37

4.6 Remove Always Encrypted Column Encryption 38

4.7 Query the encrypted columns 38

5 Always Encrypted using PowerShell: with Role Separation 40

5.1 Install and Configure SqlServer PowerShell module 40

5.2 Creating the Always Encrypted Column Master Key using the nCipher KSP 41

5.2.1 Duty Role: Security Administrator 41

5.2.2 Duty Role: Data Base Administrator 43

5.2.2.1 Duty Role: Security Administrator 46

5.2.3 Encrypt Columns using SSMS 46

5.2.4 Encrypt Columns using PowerShell 46

5.2.5 Remove Always Encrypted Column Encryption 47

Microsoft SQL Server 2016 Always Encrypted - Integration Guide of 52

5.2.6 Query the encrypted columns 48

6 Glossary of PowerShell SqlServer CMDlets 49

Contact Us 51

Europe, Middle East, and Africa 51

Americas 51

Asia Pacific 51


1 Introduction

1 IntroductionAlways Encrypted is a feature in Windows SQL Server 2016 designed to protect sensitive data both atrest and in flight between an on-premises client application server and Azure or SQL Server database(s).

Data protected by Always Encrypted remains in an encrypted state until it has reached the on–premisesclient application server, this effectively mitigates man in the middle attacks and provides assurancesagainst unauthorized activity from rogue DBAs or admins with access to Azure/SQL server Databases.Always Encrypted was designed to be used in conjunction with Transparent Data Encryption (TDE)however; TDE is NOT a requisite for implementing Always Encrypted.

Configuring Always Encrypted involves creating and provisioning cryptographic keys, specifically:

l One or more Column Encryption Key(s) (CEK) - the CEK is responsible for encrypting the databasecolumn data and is a symmetric AES key of size 256 bits

l A Column Master Key (CMK) – the CMK is protected by the HSM and is responsible for wrapping(encrypting) the CEK and is an asymmetric RSA encryption key of size 2048 bits.

The table below shows current support for the different data operations

Task SSMS PowerShell T-SQL

Provisioning column master keys, column encryption keys and encryp-ted column encryption keys with their corresponding column masterkeys

Yes Yes No

Creating key metadata in the database Yes Yes Yes

Creating new tables with encrypted columns Yes Yes Yes

Encrypting existing data in selected database columns Yes Yes No

The Column Master Key is generated using the nCipher CNG provider via the HSM and the key(s) storedin an encrypted state on the on-premises client application server in the%NFAST_KMDATA%\local folder.

It is recommended that the server configured with Always Encrypted be located on a differentserver than that on which the database resides.

Always Encrypted supports two named types of encryption, Deterministic and Randomized.

l Deterministic encryption means that the same encrypted value will be produced from the sameplaintext value each time encryption occurs, this allows for point lookups, equality joins, groupingand indexing on encrypted columns. However, this has implications on the security of the data as itpotentially allows an attacker to guess the plaintext from the recurring cipher text throughemerging patterns within the encrypted columns. Deterministic encryption should not really beused where a small set of values are presented, e.g. True/False, Yes/No etc.

l Randomized encryption is more secure, as it produces different cipher text values from the sameplaintext every time the data is encrypted, eliminating the predictable aspects associated with


1 Introduction

deterministic encryption, however, this also removes the ability to perform any search operationson the encrypted data in situ.

1.1 Always Encrypted Integration using Operator Cards and/orModule protectionIn order to cover both methods of protection currently available using CNG and nCipher HSMs, the guideperforms Always Encrypted configuration using both Operator Card Sets (OCS) and Module protectionfor the CMK. OCS protection (OCS are physical tokens in the form of a quorum of smart cards) is coveredin Always Encrypted Using SMSS on page 19 whereas module protection is covered in Always Encryptedusing PowerShell: without Role Separation on page 35 and Always Encrypted using PowerShell: withRole Separation on page 40.

Module protection utilises an AES 256 bit symmetric key with 128 bit security secured by the SecurityWorld Module key which is stored in the HSM hardware FIPS 140-2 level 3 boundary.

1.2 RequirementsThis integration guide provides a step by step account detailing the configuration of the SQL server 2016Always Encrypted feature. The guide covers the configuration of Always Encrypted by reference to boththe Microsoft Always Encrypted wizard GUI accessed via the SSMS and Microsoft PowerShell ISE forprovisioning the required cryptographic key(s).

The integration was performed and tested using the following configuration:

l Microsoft Windows 2016 Hosting SQL Server 2016 Database

l Microsoft Windows 2016 for On-Premise client sever

l NET Framework 4.6.1

l SQL Server Management Studio 17.x (SSMS)

l PowerShellGet 1.1.3.1

l PowerShell version 5.1 (Desktop)

l nShield HSM with Security World software 12.40

l nShield Hardware Security module (nShield Solo+, nShield Connect+, nShield Solo XC).

You must have at least .NET Framework 4.6.1 on the on-premises client server before installing SQLServer Management Studio (SSMS). The download for .NET framework 4.6.1 can be obtained fromhttps://www.microsoft.com/en-us/download/details.aspx?id=49982.

The Always Encrypted integration process requires administrator level access to both the on-premisesclient server and target database server for initial configuration of the CMK and CEK, thereafter ColumnEncryption is performed entirely via the Client Application server


https://www.microsoft.com/en-us/download/details.aspx?id=49982

1.3 Using multiple on-premises client servers

1.3 Using multiple on-premises client serversIn order for multiple on-premises client application servers to share and decrypt database columnsencrypted with HSM assisted Always Encrypted, there is a requirement that each client server wantingaccess to the contents of data encrypted with a given CEK protected by a specific CMK that the servermust have access to an HSM in the same Security World and have a copy of the CMK Application keytoken stored on its local drive in C:\ProgramData\nCipher\Key Management Data\local (%NFAST_LOCAL%).

By defaultC:\ProgramData is a hidden folder. To view this folder open an explorer window go to the Viewtab and tick the check box named Hidden items.

For more information about:

l Configuring an nShield HSM, see the Installation Guide for your HSM available on the DVDsupplied with the HSM

l Security World Configuration, see the appropriate User Guide for your HSM.

1.4 Database PermissionsThere are four permissions required for Always Encrypted:

Operation Description

ALTER ANY COLUMN MASTER KEY Required to create and delete a column master key

ALTER ANY COLUMN ENCRYPTIONKEY

Required to create and delete a column encryption key

VIEW ANY COLUMN MASTER KEY Required to access and read the metadata of the column mas-ter keys to manage keys or query encrypted columns

VIEW ANY COLUMN ENCRYPTIONKEY

Required to access and read the metadata of the columnencryption key to manage keys or query encrypted columns


1 Introduction

Figure 1.1 Always Encrypted example using HSM to protect CMK

The nShield Security World Software must be installed onto the on-premises client application server(s)utilizing the SQL Server 2016 Always Encrypted feature.

If you are running TDE with nShield HSMs the same Security World can be used or if preferredan entirely different Security World can be implemented. If you prefer to use a differentSecurity World you will need further HSMs as the nShield HSM can only host a single SecurityWorld instance at any one time.

1.5 Security World options when using Always EncryptedAlways Encrypted uses the nCipher CNG provider; there are certain restrictions on the use of thisprovider concerning methods of authentication and operations that are available. The table below showsthe restrictions on HSM key protection types available when using the nCipher CNG provider.

Security World Type Protection type Supported Works in Pool mode

FIPS 140-2 level2 Module Yes Yes

Softcard No No

Operator Card Set 1/n Yes No

Operator Card Set k/n Yes No

Supported key protection methods for nCipher CNG provider


1.5.1 Contacting nCipher support

1.5.1 Contacting nCipher support

To obtain support for your product, visit https://www.ncipher.com/support.


https://www.ncipher.com/support

2 Installation and configuration

2 Installation and configurationRefer to the Introduction on page 5 for information about supported platforms and environments.

2.1 Configuring nShield Hardware Security Modules for usewith Always EncryptedEnsure that the nShield Security World software is installed on the on-premises client server(s) utilizingthe Always Encrypted feature

2.2 Install and register the CNG providerTo install and configure the CNG provider, proceed as follows.

1. Once the Security World Software has been installed you must run the CNG install wizard to installand register the nCipher Key Storage Provider (KSP). This can be performed through the CNGinstall wizard that can be found in the Apps By name screen on the Desktop.

2. Click the Start button and then click on to access all applications. Look for the recentlyinstalled nCipher utilities.

3. Double click the CNG configuration wizard (Install and register nShield provider on page 10).

If the User Access Control prompt pops up click YES to continue.

Figure 2.1 Install and register nShield provider



4. Click Next on the CNG Install welcome screen (CNG Install Welcome screen on page 11).

Figure 2.2 CNG Install Welcome screen

5. Click Next on the Enable HSM Pool Mode screen. Leave the Enable HSM Pool Mode forCNG providers check box unticked (Select to enable / disable Pool Mode on page 11).

Figure 2.3 Select to enable / disable Pool Mode

6. At the Security World screen, select:

l Use the existing security world if you already have a Security World that you intend to usefor Always Encrypted. If you are using an existing Security World you must have the Worldfile in the %NFAST_KMDATA%\local folder. Be prepared to present the quorum ofAdministrator cards.

l Create a new Security World if you do not currently have a Security World or would like tocreate a new Security World.


2.2 Install and register the CNG provider

For the purposes of this integration guide we have chosen to use an existing SecurityWorld. If you are creating a new Security World please refer to the nShielddocumentation for details on creating and configuring a new Security World.

Click Next.

7. At the Set Module States screen, make sure that the Set Module States show the availablemodules as (Set Module States on page 12):

l Mode = initialisation

l State = (pre)- initialisation

Click Next.

Figure 2.4 Set Module States

8. At the Module Programming Options screen, leave the Enable this module as a remote targetun-checked and click Next (Optional setting to enable module for remote shares on page 13).

Please be aware that this is not to be confused with the nShield Remote Administrationutility.



Figure 2.5 Optional setting to enable module for remote shares

9. At the the Insert Next Card screen, insert an Administrator Card in Module 1, enter the pass phaseand click Next (Present ACS card when prompted on page 13).

Figure 2.6 Present ACS card when prompted

10. When the ACS quorum has been presented, and the Security World loaded/created, return theHSM to Operational mode.

For details on Remote Administration setup and configuration, refer to the nShieldDocumentation on the DVD that came with your nCipher HSM.



11. On the Key Protection Setup screen (Set Key Protection on page 14):

a. Select Operator Card Set protection

b. Enter a name for your card set

c. Make sure Always use the wizard when creating or importing keys is de-selected

d. Enter the card set name (this field is mandatory)

e. Enter the required K of N value (consult your security policy document for details on correctvalues to enter here)

f. Carefully consider which of the optional values to set for the OCS, see table below for furtherdetails.

By default the OCS is created as non-persistent.

Click Next.

Figure 2.7 Set Key Protection

Term Definition

Card set name Card set name must be supplied, unlike naming of individual cardswhich is optional.

Number of cards required This relates to K of N where the value [K] = the necessary number ofcards required to complete authentication (the quorum) and [N] =the total number of cards available. The value for K should be lessthan N. We do not recommend creating card sets in which K is equalto N because an error on one card would render the whole card setunusable.



Term Definition

Card set has a time-out This allows a specified period of time, in seconds, where keysprotected by any given OCS remain loaded in the HSM for use byyour application. Once the time period has expired, all keys loadedunder the OCS will be forcibly removed from the HSM such that theyare no longer available. Time-outs operate independently of OCSpersistence

Persistent Keys protected by a persistent card set can be used for as long asthe application that loaded the OCS remains connected to thehardware security device (unless that application removes thekeys). A key protected with a persistent OCS card does not needthe card to be present in the slot once the key is loaded.

Non-persistent Keys protected by a non-persistent card set can only be used whilethe last required card of the quorum remains loaded in the smartcard reader of the nCipher hardware security device. The keysprotected by this card are removed from the memory of the deviceas soon as the card is removed from the smart card reader.

Usable remotely The Remote Operator feature enables the contents of a smart cardinserted into the slot of one module (the attended module, such as aclient module) to be securely transmitted and loaded onto anothermodule (an unattended module, such as the nShield Connect). Thisis useful when you need to load an OCS-protected key onto amachine to which you do not have physical access (because, forexample, it is in a secure area). This feature is deprecated in favourof Remote Administration which was launched with version 12.00 ofthe nShield Security World software.

Recoverable PP The option allows the recovery of a lost or forgotten pass phrase.For further details on recovery operations and Security Worldsettings please refer to the HSM documentation supplied on theSecurity World CD.

12. On the Insert Next Card screen enter a name to for the first OCS card (Writing the Operator CardSet on page 16).If required select Card Requires a pass phase and enter a pass phrase and confirm the passphrase.

Repeat this set up for each OCS card.



You must have the N value of cards (where N is the total number of cards in the set)available for this operation before you commence. Insert a card into the attached HSMcard reader or the TVD (Trusted Verification Device) if you are using the RemoteAdministration feature, when you are prompted to do so.

If you are using Remote Administration you may need to select the Back button andthen return using Next button to the ESN confirmation screen. Select OK on the TVD tocontinue creating the OCS.

You do not have to give individual cards names. Similarly, you do not have to give thecards a pass phase, but enter one if appropriate for your security policy.

Click Next.

Figure 2.8 Writing the Operator Card Set

13. The nCipher nCipher CNG providers will now be installed and the key Storage Provider will beregistered (Register CNG Providers on page 18). To confirm that the KSP has been successfullyregistered open either a Command Line Interface or PowerShell (right click and Run asAdministrator) and run the following command:

>cnglist.exe --list-providers

You should see the nCipher Security World key Storage Provider listed.

PS C:\WINDOWS\system32> cnglist.exe --list-providers

Microsoft Key Protection Provider



Microsoft Passport Key Storage Provider

Microsoft Platform Crypto Provider

Microsoft Primitive Provider

Microsoft Smart Card Key Storage Provider

Microsoft Software Key Storage Provider

Microsoft SSL Protocol Provider

Windows Client Key Protection Provider

nCipher Primitive Provider

nCipher Security World Key Storage Provider

PS C:\WINDOWS\system32>

You will find the provider in the registry at (CNG Registry provider path on page 18):

HKEY_LOCAL_

MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\nCipherSecurityWorldKeyStorageProvider



Figure 2.9 Register CNG Providers

Figure 2.10 CNG Registry provider path


3 Always Encrypted Using SMSS


3.1 Creating the Always Encrypted Column Master Key usingthe nCipher KSPOnce you have successfully installed the nCipher CNG Key Storage Provider you can begin to configureAlways Encrypted as follows:

1. From the Apps by name desktop environment, select Microsoft SQL Server ManagementStudio and connect to the desired database.

Once connected to the database the first thing you will need to do is create a ColumnMaster Key. This key will encrypt all subsequent Column Encryption keys (CEKs).

2. Using Object Explorer, select the Security directory under the desired Database, this can be seenas TestDatabase (New CMK on page 19).Click to expand Always Encrypted Keys.

Figure 3.1 New CMK

3. Select: <Your_database > Security > Always Encrypted Keys > Column Master Keys.



4. Right click on Column Master Keys and select New Column Master Key…. The New ColumnMaster Key screen will open (Generate new CMK on page 20).

Figure 3.2 Generate new CMK

5. In the Name field, enter a meaningful name for the CMK, e.g. MyCMK.

6. From the drop down list select Key Storage Provider (CNG). This will then present the option toSelect a provider.

a. Select nCipher Security World Key Storage Provider from the drop down list

b. Click Generate Key to create a new CMK using the nShield HSM and CNG KSP.

7. If the nCipher Security World Key Storage Provider is not visible you will need to make sure thatyou have correctly installed and registered the nCipher Key Storage Provider.

8. Click Next on the nCipher Key Storage Provider – Create key screen (nCipher KSP - Create Keyon page 21).


3.1 Creating the Always Encrypted Column Master Key using the nCipher KSP

Figure 3.3 nCipher KSP - Create Key

9. On the Select a method to protect new key screen, select the appropriate method for yoursecurity policy, either Module protection or Operator Card Set protection.Click Next.

Figure 3.4 Select a method to protect new key

10. The Select operator card set to protect the key with screen will prompt you to select whichOCS to use for the CMK. If you have multiple OCS all currently available OCS will be listed in theleft hand field Select card set by name on page 22.Select the OCS that you want to use and click Finish.



Figure 3.5 Select card set by name

11. Enter the pass-phrase for the selected OCS, if one exists, and confirm that card reading completedsuccessfully on the next two screens (Enter password on page 23 and Card reading complete onpage 23). Make sure that you have the correct OCS available.


3.1 Creating the Always Encrypted Column Master Key using the nCipher KSP

Figure 3.6 Enter password

Figure 3.7 Card reading complete

You will now have a CMK called MyCMK protected by the card set, AESQL. The newly generated CMKwill be visible in the Name field (New CMK generated on page 23).

Figure 3.8 New CMK generated

To confirm the key has been successfully created using the nShield Key Storage Provider:

1. Open a CLI or PowerShell with elevated permissions, right click and select Run as Administrator.

2. Run the command nfkminfo.exe –k, you should see something similar to the output below:

nfkminfo.exe -k

Key list - 1 keys



AppName caping Ident s-1-5-21-1277476411-3880915791-1682396242-1002--

7cbbd9d5477b6d2ed4b6df83e3fa50ac3745b85

3. For further information about the key, including its name, and protection (Module or Operator CardSet) run the command nfkminfo with the <AppName> and <Ident> as reported by commandnfkminfo –k used in the previous step.

nfkminfo.exe -k caping s-1-5-21-1277476411-3880915791-1682396242-1002--


Key AppName caping Ident s-1-5-21-1277476411-3880915791-1682396242-1002--


BlobKA length 1052

BlobPubKA length 444

BlobRecoveryKA length 1464

name "MyCMK"

hash 94f0bd3bcf6cc1f07a06086bb7918961c67747f0

recovery Enabled

protection CardSet

other flags PublicKey !SEEAppKey !NVMemBlob +0x0

gentime 2017-09-14 12:59:12

SEE integrity key NONE

4. Click OK, the database now has a Column Master Key protected by the Security World under OCSprotection.

5. To view the new Column Master Key use the SQL Object Explorer (New CMK on page 25).

a. Navigate to the relevant database

b. Expand by clicking the + sign

c. Expand the Security folder

d. Expand the Always Encrypted Keys folder. There will be two folders, one for the ColumnMaster Key(s) and one for the Column Encryption Key(s).


3.2 Enable Always Ecrypted

Figure 3.9 New CMK

3.2 Enable Always EcryptedTo Enable Always Encrypted and generate a CMK, proceed as follows:

1. Right click on the required database, in this example we shall use TestDatabase (Encryptcolumns on page 26).

2. Right click and in the Tasks tab select to Encrypt Columns… this will open the AlwaysEncrypted wizard.



Figure 3.10 Encrypt columns

3. If you don’t want the introduction screen presented each time you run the wizard, check theDo not show this page again box.Click Next.

4. The Column Selection screen allows you to choose the type of CMK and specify thecolumns you want to encrypt (Column selection and encryption type on page 27).

The Apply one key to all checked columns is shaded out until such time as youhave two or more CEKs available. You will then also have the option to select theCEK for any given column via the drop down list beneath the Encryption Keyoption.



Figure 3.11 Column selection and encryption type

5. Under Encryption Type click to select the column(s) to encrypt by checking the appropriatebox to the left of the column name, you can then select the encryption method from the dropdown box beneath Choose Type. Encryption is either:

l Deterministic

l Randomized.

Click Next.

6. On the Master key Configuration page, select the CMK that was generated using thenCipher Key Storage Provider and protected by the HSM and click Next (Select CMK to useon page 28).

Run Settings: It is recommended that maintenance downtime be scheduled forthis activity.The process of encrypting your database records can take a considerableamount of time, depending on the size/quantity of data. To mitigate the possibilityof data corruption occurring as records are encrypted whilst being updated, it isadvisable to back up the database and to only perform this activity when thedatabase is off-line.



Figure 3.12 Select CMK to use

7. Select Proceed to finish now this will begin the process of creating the CEK and using it toencrypt the specified column in the database.

Click Next.

8. Verify the configuration choices on the Summary screen and amend if necessary (Verifysettings on page 28).Click Next.

Figure 3.13 Verify settings



9.

The next operation requires the OCS quorum to be available.

Present the OCS protecting the CMK and enter the passphrase (Load CMK on page 29).Click Finish.

Figure 3.14 Load CMK

10. Enter the OCS passphrase and click Next (Enter passphrase for OCS protecting the CMK onpage 29).

Figure 3.15 Enter passphrase for OCS protecting the CMK

11. Click Finish to complete the loading of the CMK into the memory of the HSM this will allow itto securely encrypt the CEK (Confirmation of card reading on page 30).



Figure 3.16 Confirmation of card reading

12. The CEKwill be generated and protected by an OCS protected CMK.Click Finish.

13. Insert the quorum from the OCS and enter the passphrasewhen prompted.Click Next.

14. The Card reading complete screen reports on the status of the Operator Card readingoperation.Click Next.

15. Providing the Operator Card(s) where correctly read the CEK will have been created. TheResults page will report that the CEK was generated and the requested / specifiedcolumns are now encrypted (CEK Successfully encrypted column on page 31).Click Close to exit the Always Encrypted Column Encryption Key wizard.


3.3 Removing column encryption

Figure 3.17 CEK Successfully encrypted column

16. Open the table by right clicking on the dbo.Table and select Select Top 1000 Rows. Thecolumn that was chosen for encryption now appears as ciphertext (i.e. an encrypted value)(Showing encrypted columns on page 31).

Figure 3.18 Showing encrypted columns

17. To show the encrypted columns in plaintext (i.e. Decrypted), disconnect from the databaseand reconnect with the given additional connection parameter:

a. At the Connect to Database Engine logon screen, select the required server name

b. Click on Options>>

c. Go to Additional Connection Parameters and add the connection string ColumnEncryption Setting = enabled

d. Click Connect.

When you now run the query on the table you will now see the original valuesdecrypted by the Column Encryption Key.

3.3 Removing column encryptionIf you want to remove the protection provided by Always Encrypted column encryption this can bedone using the SQL Server Management Studio Object Explorer.

To remove Column Encryption from a specific or multiple data column(s):

1. Right click on the required database and in the Tasks menu and select Encrypt Columns(Select encrypted columns on page 32).



Figure 3.19 Select encrypted columns

2. Select Next on the Introduction screen.

3. Click on the field Encryption Type on the Column Selection screen and enter the preferredoption for this value.

Figure 3.20 Choose Plaintext opetion

4. From the drop down list select Plaintext and then click Next (Choose Plaintext opetion onpage 32).


3.3 Removing column encryption

5. As there is no key to configure this time click Next to proceed straight to the Run Settingsscreen. If the database is live at this point, you should first take it off-line before proceedingto remove the column encryption (Confirm the database is offline on page 33).

Figure 3.21 Confirm the database is offline

6. Select Proceed to finish now and click Next.

7. Check the Summary screen to make sure the correct Decrypt column(s) are listed and clickFinish (Review column decryption state on page 33).

Figure 3.22 Review column decryption state



8. The Performing encryption operations should show as Passed (Successfully removedAlways Encrypted column encryption on page 34).

Figure 3.23 Successfully removed Always Encrypted column encryption

Always Encrypted column encryption will have been removed from the database. When you nextlog into the database you can remove the Column Encryption Setting = enabled string from theAdditional Connection Parameters field on the database login screen. When you now view yourdatabase table thorugh the Select Top 1000 Rows you should see all columns in plaintext (i.e. anunencrypted state).


4 Always Encrypted using PowerShell: without Role Separation

4 Always Encrypted using PowerShell: withoutRole Separation

4.1 Install and Configure SqlServer PowerShell moduleAll sessions must be executed in an Administrator Shell, to facilitate this open Powershell (or PowerShellISE) by right click and select Run as Administrator.

Decide on the level of security required around the running of scripts and change the ExecutionPolicysetting accordingly. Before updating PowerShellGet or PackageManagement, install the latest Nugetprovider.

1. Open a PowerShell session as Administrator and run:

Install-PackageProvider Nuget –force –verbose

2. Update PowerShellGet:

Install-Module –Name PowerShellGet –force –verbose

3. Download and install the SqlServer module to configure Always Encrypted using Power Shell:

Install-Module -Name SqlServer -force -verbose -AllowClobber

The -AllowClobber parameter allows you to import the specified commands if it exists inthe current session.

4. Once installed (if you are using PowerShell ISE refresh the Commands pane if you are usingPowerShell open a new session), confirm the install by running:

Get-Module -list -Name SqlServer

5. You should see something similar to the output below:

Directory: C:\Program Files\WindowsPowerShell\Modules

ModuleType Version Name ExportedCommands

---------- ------- ---- ----------------

Manifest 21.0.17152 SqlServer {Add-SqlColumnEncryptionKeyValue, Complete-

SqlColumnMasterKeyRotatio…



4.2 Install the nCipher CNG providerFor details on the nCipher CNG provider, see Security World options when using Always Encrypted onpage 8.

If using an existing Security World ensure that the Use existing Security World check box isticked.

The provider location can be found at:

HKEY_LOCAL_MACHINE\SYSTEM\Con-trolSet001\Control\Cryptography\Providers\nCipherSecurityWorldKeyStorageProvider

4.3 Creating the Always Encrypted Column Master Key usingthe nCipher KSOnce you have successfully installed the nCipher CNG Key Storage Provider and registered for use withModule protection you can begin to configure Always Encrypted.

Always make sure that you check and confirm all variables are adjusted according to yourenvironment; the values in this integration guide are example variables only The bespokevalues have been highlighted throughout in red.

1. Generate a CNG RSA key pair for use as a Column Master Key:

$cngProviderName = "nCipher Security World Key Storage Provider"

$cngAlgorithmName = "RSA"

$cngKeySize = 2048 # Recommended key size for Always Encrypted column master keys

$cngKeyName = "AECMK" # Name identifying your new key in the KSP

$cngProvider = New-Object System.Security.Cryptography.CngProvider($cngProviderName)$cngKeyParams =

New-Object System.Security.Cryptography.CngKeyCreationParameters$cngKeyParams.provider =

$cngProvider$cngKeyParams.KeyCreationOptions =

[System.Security.Cryptography.CngKeyCreationOptions]::OverwriteExistingKey$keySizeProperty = New-Object

System.Security.Cryptography.CngProperty("Length", [System.BitConverter]::GetBytes($cngKeySize),

[System.Security.Cryptography.CngPropertyOptions]::None);

$cngKeyParams.Parameters.Add($keySizeProperty)$cngAlgorithm = New-Object

System.Security.Cryptography.CngAlgorithm($cngAlgorithmName)

$cngKey = [System.Security.Cryptography.CngKey]::Create($cngAlgorithm, $cngKeyName, $cngKeyParams)

The above example will generate a 2048 bit RSA key pair with Name AECMK. The resulting key isencrypted whilst in the HSM and then pushed to the requesting On-Premise Client server where itis stored as an Application Key Token in the%NFAST_KMDATA%\local folder

(C:\ProgramData\nCipher\Key Management Data\local).


4.4 Creating the Column Encryption Key

2. Invoke the > New-SqlCngColumnMasterKeySettings cmdlet:

## Specify the Column Master Key settings for importing into the database:

$CmkSettings = New-SqlCngColumnMasterKeySettings -CngProviderName "nCipher Security World Key

Storage Provider" -KeyName "AECMK"

3. Create the Column Master Key:

New-SqlColumnMasterKey "AECMK" -ColumnMasterKeySettings $CmkSettings -Path

SQLSERVER:\SQL\<server_name>\<default>\Databases\testdatabas

4.4 Creating the Column Encryption KeyOnce the Column Master Key has been successfully generated create a Column Encryption Key usingthe example below:

New-SqlColumnEncryptionKey -Name "CEK" -ColumnMasterKeyName "AECMK" –Path SQLSERVER:\SQL\<sql_server_name>\<default>\Databases\testdatabase

The resulting Column Encryption Key (CEK) is a 256 bit symmetric key protected by the Column MasterKey (CMK) this is achieved by calling the EncryptColumnEncryptionKey method of theSqlColumnEncryptionCNGProvider provider class.

4.5 Encrypting Columns with the Column Encryption KeyOpen a PowerShell ISE session with elevated permissions (right click and select Run as Administrator)and run the following to encrypt a given column in the specified database. Adjust the variableshighlighted in red to those suitable for your database name and data columns that you want to encrypt.

Import-Module SqlServer# Set up connection and database SMO objects

$sqlConnectionString = "Data Source=DBServer;Initial Catalog=TestDatabase;Integrated Secur-ity=True;MultipleActiveResultSets=False;Connect Timeout=30;Encrypt=False;TrustServerCertificate=False;Packet Size-e=4096;Application Name=`"Microsoft SQL Server Management Studio`""$smoDatabase = Get-SqlDatabase -ConnectionString $sqlConnectionString

# Change encryption schema

$encryptionChanges = @()

# Add changes for table [dbo].[TestTable]$encryptionChanges += New-SqlColumnEncryptionSettings -ColumnName dbo.TestTable.NationalIdNumber -Encryp-tionType Randomized -EncryptionKey "CEK"

Set-SqlColumnEncryption -ColumnEncryptionSettings $encryptionChanges -InputObject $smoDatabase



4.6 Remove Always Encrypted Column EncryptionTo remove column encryption from previously encrypted column data, replace EncryptionType with thevariable <Plaintext> and execute.

If the database is live at this point, you should first take it off-line before proceeding to removethe column encryption.


$sqlConnectionString = "Data Source=DBServer;Initial Catalog=TestDatabase;Integrated Secur-ity=True;MultipleActiveResultSets=False;Connect Timeout=30;Encrypt=False;TrustServerCertificate=True;Packet Size-e=4096;Application Name=`"Microsoft SQL Server Management Studio`";Column Encryption Setting=Enabled"$smoDatabase = Get-SqlDatabase -ConnectionString $sqlConnectionString# Change encryption schema


# Add changes for table [dbo].[TestTable]$encryptionChanges += New-SqlColumnEncryptionSettings -ColumnName dbo.TestTable.NationalIdNumber -Encryp-tionType Plaintext


The Always Encrypted encrypted data will revert to plaintext. (If your database is protected by TDE thenthe data is still being encrypted whilst at rest). When you next log into the database you can remove theColumn Encryption Setting = enabled string from the Additional Connection Parameters field on thedatabase login screen. When you now view your database table through, Select Top 1000 Rows youshould see all columns in plaintext (i.e. an unencrypted state).

When removing Always Encryption from your database columns, ensure that all columnsappear in plaintext. You must delete any CEK before you can drop the CMK.

4.7 Query the encrypted columnsYou can now use SSMS to query the encrypted columns using a SqlConnectionStringBuilder object andsettingSqlConnectionStringBuilder.ColumnEncryptionSetting to Enabled (Parameterization for AlwaysEncrypted on page 39).

strbldr.ColumnEncryptionSetting = SqlConnectionColumnEncryptionSetting.Enabled;


4.7 Query the encrypted columns

Figure 4.1 Parameterization for Always Encrypted

Alternatively when initiating a connection to the Database (Adjust connection paramters on page 39):

1. Select the desired database

2. Select Options

3. Select Additional Connection Parameters

4. Enter Column Encryption Setting = enabled.

Figure 4.2 Adjust connection paramters


5 Always Encrypted using PowerShell: with Role Separation

5 Always Encrypted using PowerShell: with RoleSeparation

5.1 Install and Configure SqlServer PowerShell moduleAll sessions must be executed in an Administrator Shell, to facilitate this open Powershell (or PowerShellISE) by right click and select Run as Administrator. The following operations need to be run on all SQLAlways Encrypted servers and the Database server(s) in order to align all with the latest SqlServerpackage.

Always ensure that you check and confirm all variables are adjusted according to yourenvironment; the values in this integration guide are example variables only the bespokevalues have been highlighted throughout in red.

Before updating PowerShellGet or PackageManagement, install the latest Nuget provider.

1. Open a PowerShell session as Administrator and run:

Install-PackageProvider Nuget –force –verbose

2. Update PowerShellGet:

Install-Module –Name PowerShellGet –force –verbose

3. Download and install the SqlServer module to configure Always Encrypted using Power Shell:

Install-Module -Name SqlServer -force -verbose -AllowClobber

The -AllowClobber parameter allows you to import the specified commands if it exists inthe current session.

4. Once installed (if you are using PowerShell ISE refresh the Commands pane if you are usingPowerShell open a new session), confirm the install by running:


5. You should see something similar to the output below:



---------- ------- ---- ----------------




SqlColumnMasterKeyRotatio…

6. Verify that the nCipher CNG KSP is installed correctly:

cnglist.exe --list-providers

Microsoft Key Protection Provider

Microsoft Passport Key Storage Provider

Microsoft Platform Crypto Provider

..

..

nCipher Primitive Provider

nCipher Security World Key Storage Provider

For the purpose of this guide when integrating with role separation, roles are defined as Duty Role. Thetable below shows the separation and function of these duty roles with reference to SecurityAdministrator and Database Administrator.

Process Duty Role

Generating the CMK Security Administrator

Generating / encryption of CEK Security Administrator

Defining the CMK and CEK in the database Database Administrator

5.2 Creating the Always Encrypted Column Master Key usingthe nCipher KSPOnce you have successfully installed the nCipher CNG Key Storage Provider and registered for use withModule protection you can begin to configure Always Encrypted.

The Security Officer must have administrator rights on the Client Server being configured to use AlwaysEncrypted. The following sections are divided between the Security Administrator and the DatabaseAdministrator. The DBA should not have access to the Client server.

5.2.1 Duty Role: Security Administrator

1. Confirm that the SqlServer module is present by running:




5.2.1 Duty Role: Security Administrator


---------- ------- ---- ----------------


SqlColumnMasterKeyRotation, Get-SqlColumnEncryptionKey, Get-SqlCo...

2. Generate a CNG RSA key pair for use as a Column Master Key: Choose a suitable name for theColumn Master Key (highlighted in below in red) for your particular deployment:

$cngProviderName = "nCipher Security World Key Storage Provider"

$cngAlgorithmName = "RSA"

$cngKeySize = 2048 # Recommended key size for Always Encrypted column master keys

$cngKeyName = "AECMK" # Name identifying your new key in the KSP

$cngProvider = New-Object System.Security.Cryptography.CngProvider($cngProviderName)

$cngKeyParams = New-Object System.Security.Cryptography.CngKeyCreationParameters

$cngKeyParams.provider = $cngProvider

$cngKeyParams.KeyCreationOptions =

[System.Security.Cryptography.CngKeyCreationOptions]::OverwriteExistingKey

$keySizeProperty = New-Object System.Security.Cryptography.CngProperty("Length",

[System.BitConverter]::GetBytes($cngKeySize), [System.Security.Cryptography.CngPropertyOptions]::None);

$cngKeyParams.Parameters.Add($keySizeProperty)

$cngAlgorithm = New-Object System.Security.Cryptography.CngAlgorithm($cngAlgorithmName)

$cngKey = [System.Security.Cryptography.CngKey]::Create($cngAlgorithm, $cngKeyName, $cngKeyParams)

The above example will generate a 2048 bit RSA key pair. The resulting key is encrypted whilst inthe HSM and then pushed to the requesting On-Premise Client server where it is stored as anApplication Key Token in the%NFAST_KMDATA%\local folder (C:\ProgramData\nCipher\KeyManagement Data\local).

3. Confirm that the key was successfully generated and exists in the nCipher %KMDATA_LOCAL%directory:

nfkminfo.exe -k

Key list - 1 keys

AppName caping Ident s-1-5-21-1277476411-3880915791-1682396242-1002--


PS C:\WINDOWS\system32> nfkminfo.exe -k caping s-1-5-21-1277476411-3880915791-1682396242-1002--


Key AppName caping Ident s-1-5-21-1277476411-3880915791-1682396242-1002--


name "AECMK"

hash 9f215d32a765a708e4fcb92678ce43d0f475955b

recovery Enabled

protection Module



4. The Security Administrator can now create the SqlCngColumnMasterKeySettings object which willreference the CMK application key token created using the nCipher KSP:


Storage Provider" -KeyName AECMK

5. The example below will produce the encrypted value of a new Column Encryption Key. This will beimplemented via T-SQL for setting Column Encryption on a specified column:

New-SqlColumnEncryptionKeyEncryptedValue -TargetColumnMasterKeySettings $CMKSettings

0x01620000016E00630069007000680065007200200073006500630075007200690074007900200077006F

0072006C00640020006B00650079002000730074006F0072006100670065002000700072006F0076006900

6400650072002F006100650063006D006B00989CD11831C74395E380A8F16A251014D03E98390BD8AF1

2252062B653AE80A00C7CFA1FC284914A38CBA659796C55CF59B131BDC1BF8A862B032F14303B2E6E

F1BAC2441EEB4B10CBF9DBB6523E34E64F7EE0B3F6A538228EF1964C5E2A1E4ED8056700AA2B25BFB

9834679C99A84D7B275F0945429E97639558F79EB3EB363497857BBB621C2D8FC822464FCF1F2178A2

4087F2C5E9ACBECF02DB495D4357C8ED886F1CC8A3070BF0FA9F430389D738AA2CEE17880EE7210C

A18437FA3FC6333075A33F286239CDA869B4C017F3ADA3D67F7ECB6ECEF58F6815648665DD36A67FC

4CAB4D3D699130D33852B642A6E6ED2B2FE1692010943E3252530727306035822BDC2CADBDAC13F48

748686BADAD72086A505BA57D482C904A3BE39EE603B7CC26398D5CE589AB6597EA5D577C28C34BC6

AA96F17B69F1F053BC148B763C27CDEE1307C9A46F12CFBC8CF309A417364BFA78C5D9A8FEFC877F

CDCC4ACC06AF750436A962C757BAC3ADE9CB3C0DAEE78002ACE2F36DCF9C1BAE69B39053875910C

E4F77E51450C844CC32DF062309CC9B2F29F92A8DDAD883B632C8D3F36620318175B93763DEF696D5

EB9DC37F51655E181207165A896AEFA60271B705B2883BD96BEC6487454A65EFE9D7F48AF54FFE1B7

FEB0598AC47CA306B23201B8B9B89DFAA574688CA18F5B16FFEAFAF9FA87072CE0E853675E2369CE3

ED912F67

5.2.2 Duty Role: Data Base Administrator

1. Open PowerShell ISE as Administrator and run the following in order to create aSqlcngcolumnMasterKeySettings object that contains information about the location of yourcolumn master key. Make sure that the Sql Server module has been imported.

New-SqlCngColumnMasterKeySettings -CngProviderName "nCipher Security World Key Storage Provider" -

KeyName AECMK

KeyStoreProviderName KeyPath

-------------------- -------

MSSQL_CNG_STORE nCipher Security World Key Storage Provider/AECMK


Storage Provider" -KeyName AECMK


5.2.2 Duty Role: Data Base Administrator

New-SqlColumnMasterKey "AECMK" -ColumnMasterKeySettings $CmkSettings -Path

SQLSERVER:\SQL\MSSQLSERVER\AEDATABASE\Databases\AEtestdatabase2

Name

----

AECMK

2. You can confirm the presence of the newly imported CMK using Object Explorer in SSMS (CMKImported into database on page 44).

Figure 5.1 CMK Imported into database

TheNew-SqlColumnEncryptionKey cmdlet creates a column encryption key object in the form of anEncrypted Value in the database. A column encryption key object encapsulates an encrypted value of asymmetric cryptographic key, i.e. the Column Encryption Key; this can be subsequently used to encryptdatabase columns using the Always Encrypted feature.

The example below shows the output confirming the creation of a new CEK, called AECEK1 this wasgenerated and then encrypted using the encapsulated CMK metadata provided to the DBA by theSecurity Administrator.

New-SqlColumnEncryptionKey -Name "AECEK1" -ColumnMasterKeyName "AECMK" –EncryptedValue0x01620000016E00630069007000680065007200200073006500630075007200690074007900200077006F007200-6C00640020006B00650079002000730074006F0072006100670065002000700072006F0076006900640065007200-2F006100650063006D006B004BD6CACB568A8DFB91AF92CB6AD25C2AEF93895BE3E658D2E7280BB799BD0D-



BB3B3F38B0E320955CC8D9705D42CC8E2D022F7A5839DE6ACF133EFACE9DA7CDF49AB14F21491B06F9156-E9509735328567C603A71A4838B4B8E746A413A2391EDCDEC7F6DFBE9E3DECA579797DFB025F5771330892C-CD6AA60FD89F898340E731EBAC43FDAA240E0FEA6471B2B772BE9238DCEBF96A2F421F7AB23F4EEDFC28C-A5D91244BCA5D4ED9B9E53F657E4F32A4D0CA8D62DF67FEC648224AB3B0A9DDF223B8C82CCEC64E68FA27-ED63D4212552BE5C3E69C79F4485C743165C3375909BAE4A11FF1FBCF69C2D791E634B86636C921F71400E0-2565B1E0C1E63C01F6C2699CEE2EB6DF3F29BB0B253B65FD0E6741BA0FA7150330D3BC16357895687433DF-BD20027BC133841E02072E2409F543ABB5386B3BA77D4959DA2631B80451868186BCDDEB781ECDAC567C62-DAC8169F7A0951D99A943AC06E8CD88DD9174C27B9FD2A49E37C3555DAC542DEC19582F10628A9B49FBDE-3520BAA684580CF8E51C99987ED47498E803E40793411737E3969B40A676FF5513054569ADBB3B0B97B1715F-D3683D5E537E51413A3563DBEA9EDA6F895565EF1793FF3642206F362582153F382AA107C9BA4A3AC619AAB-4A3CF6AB5D8D4DCC1389DF54CBF60B8F6882152DD95215DE8371F3632E1406CC9BD0449CDA2212DEA8D17-3CFFD8CC04234151

Name----AECEK1

You can confirm the presence of the CEK using SSMS Object Explorer to view the new Always Encryptedkey (CEK Creation on page 45).

Figure 5.2 CEK Creation

This concludes role separation activities performed by the Data Base Administrator. The SecurityAdministrator can now connect to the Database and use the defined keys to encrypt the desired columnsusing Always Encrypted.


5.2.2.1 Duty Role: Security Administrator

5.2.2.1 Duty Role: Security AdministratorThe Security Administrator can now connect to the database either through the SQL ServerManagement Studio or PowerShell and use the provisioned key Metadata to encrypt the requiredcolumns.

5.2.3 Encrypt Columns using SSMS

To encrypt a column using SSMS please refer to the chapter on “Always Encrypted using SSMS” this canbe found on page 14 of this document.

To encrypt columns using PowerShell please refer to the section below.

5.2.4 Encrypt Columns using PowerShell

In order to encrypt a column using a CEK the user of the database must have the following effectivepermissions:

l ALTER ANY COLUMN MASTER KEY

l ALTER ANY COLUMN ENCRYPTION KEY

l VIEW ANY COLUMN MASTER KEY DEFINITION

l VIEW ANY COLUMN ENCRYPTION KEY DEFINITION.

These permissions can be found by right clicking on the relevant database and selecting Properties thenPermissions (Permissions status on page 47).



Figure 5.3 Permissions status

To encrypt a column using the CEK, run the following:

$EncryptionSettings = New-SqlColumnEncryptionSettings -ColumnName <dbo.yourdb.column to encrypt> -Encryp-tionType <Deterministic/Randomized> –EncryptionKey "<Name of CEK>"

Example:

Create the Column encryption settings for you chosen column using theNew-

SqlColumnEncryptionSettings cmdlet.

New-SqlColumnEncryptionSettings -ColumnName dbo.AEtestdb.LastName -EncryptionType Deterministic –Encryp-tionKey "AECEK1"

ColumnName : LastNameTableName : AEtestdatabaseSchemaName : dboEncryptionType : RandomizedEncryptionKey : AECEK1

Set the encryption policy on the column using the appropriate CMK and CEK to secure successful columnencryption.


$sqlConnectionString = "Data Source=AEDATABASE;Initial Catalog=AEtestdatabase2;User ID=dbuser;Mul-tipleActiveResultSets=False;Connect Timeout=30;Encrypt=False;TrustServerCertificate=False;Packet Size-e=4096;Application Name=`"Microsoft SQL Server Management Studio`""$smoDatabase = Get-SqlDatabase -ConnectionString $sqlConnectionString# Change encryption schema$encryptionChanges = @()# Add changes for table [dbo].[TestTable]$encryptionChanges += New-SqlColumnEncryptionSettings -ColumnName dbo.TestTable.NationalIdNumber -Encryp-tionType Randomized -EncryptionKey "AECEK1"


As the Column Master Key is only available to users who have a copy of the application key token in theclient server %NFAST-KMDATA%\local directory any column encryption Key encrypted with this remainsunavailable, as access to this key is required to decrypt the CEK protecting the column data.

5.2.5 Remove Always Encrypted Column Encryption

To remove column encryption from previously encrypted column data, replace EncryptionType with thevariable <Plaintext> and execute.

If the database is live at this point, you should first take it off-line before proceeding to removethe column encryption.


5.2.6 Query the encrypted columns


$sqlConnectionString = "Data Source=DBServer;Initial Catalog=TestDatabase;Integrated Secur-ity=True;MultipleActiveResultSets=False;Connect Timeout=30;Encrypt=False;TrustServerCertificate=True;Packet Size-e=4096;Application Name=`"Microsoft SQL Server Management Studio`";Column Encryption Setting=Enabled"$smoDatabase = Get-SqlDatabase -ConnectionString $sqlConnectionString# Change encryption schema


# Add changes for table [dbo].[TestTable]$encryptionChanges += New-SqlColumnEncryptionSettings -ColumnName dbo.TestTable.NationalIdNumber -Encryp-tionType Plaintext


The Always Encrypted encrypted data will revert to plaintext. (If your database is protected by TDE thenthe data is still being encrypted whilst at rest). When you next log into the database you can remove theColumn Encryption Setting = enabled string from the Additional Connection Parameters field of thedatabase login screen. When you now view your database table via, Select Top 1000 Rows you shouldsee all columns in plaintext (i.e. an unencrypted state).

When removing Always Encryption from your database columns, ensure that all columnsappear in plaintext. You must delete any CEK before you can drop the CMK.

5.2.6 Query the encrypted columns

You can now use SSMS to query the encrypted columns using a SqlConnectionStringBuilder object andsettingSqlConnectionStringBuilder.ColumnEncryptionSetting to Enabled (Parameterization for AlwaysEncrypted on page 39).

strbldr.ColumnEncryptionSetting = SqlConnectionColumnEncryptionSetting.Enable

Alternatively when initiating a connection to the Database, select the desired Database and selectOptions, Additional Connection Parameters and enter Column Encryption Setting = enabled (Adjustconnection paramters on page 39).


6 Glossary of PowerShell SqlServer CMDlets

6 Glossary of PowerShell SqlServer CMDletsThe following list shows the currently available 16 Always Encrypted PowerShell cmdlets:

PowerShell CMDlet Description

Add-SqlColumnEncryptionKeyValue Adds a new encrypted value for an existing columnencryption key object in the database.

Complete-SqlColumnMasterKeyRotation Completes the rotation of a column master key.

Get-SqlColumnEncryptionKey Returns all column encryption key objects defined inthe database, or returns one column encryption keyobject with the specified name.

Get-SqlColumnMasterKey Returns the column master key objects defined in thedatabase, or returns one column master key objectwith the specified name.

Invoke-SqlColumnMasterKeyRotation Initiates the rotation of a column master key.

New-SqlAzureKeyVaultColum-nMasterKeySettings

Creates a SqlColumnMasterKeySettings objectdescribing an asymmetric key stored in Azure KeyVault.

New-SqlCngColumnMasterKeySettings Creates a SqlColumnMasterKeySettings objectdescribing an asymmetric key stored in a key storesupporting the Cryptography Next Generation (CNG)API.

New-SqlColumnEncryptionKey Creates a new column encryption key object in thedatabase.

New-SqlColumnEncryptionKeyEncryptedValue Produces an encrypted value of a column encryptionkey.

New-SqlColumnEncryptionSettings Creates a new SqlColumnEncryptionSettings objectthat encapsulates information about a single column’sencryption, including CEK and encryption type.

New-SqlColumnMasterKey Creates a new column master key object in the data-base.

New-SqlCspColumnMasterKeySettings Creates a SqlColumnMasterKeySettings objectdescribing an asymmetric key stored in a key storewith a Cryptography Service Provider (CSP) sup-porting Cryptography API (CAPI).

Remove-SqlColumnEncryptionKey Removes the column encryption key object from thedatabase.

Remove-SqlColumnEncryptionKeyValue Removes an encrypted value from an existing columnencryption key object in the database.


6 Glossary of PowerShell SqlServer CMDlets

PowerShell CMDlet Description

Remove-SqlColumnMasterKey Removes the column master key object from the data-base.

Set-SqlColumnEncryption Encrypts, decrypts or re-encrypts specified columns inthe database.

Alternatively, the full list, along with any additions to the SqlServer module released after this guidespublication, can be found via the link below:

https://blogs.technet.microsoft.com/dataplatforminsider/2016/06/30/sql-powershell-july-2016-update/.


https://blogs.technet.microsoft.com/dataplatforminsider/2016/06/30/sql-powershell-july-2016-update/

Contact Us

Contact UsWeb site: https://www.ncipher.comSupport: https://help.ncipher.comEmail Support: [email protected] documentation: Available from the Support site listed above.

You can also contact our Support teams by telephone, using the following numbers:

Europe, Middle East, and Africa

United Kingdom: +44 1223 622444One Station SquareCambridgeCB1 2GAUK

Americas

Toll Free: +1 833 425 1990Fort Lauderdale: +1 954 953 5229

Sawgrass Commerce Center – ASuite 130,13800 NW 14 StreetSunriseFL 33323 USA

Asia Pacific

Australia: +61 8 9126 9070World Trade Centre Northbank WharfSiddeley StMelbourne VIC 3005Australia

Japan: +81 50 3196 4994Hong Kong: +852 3008 3188

10/F, V-Point,18 Tang Lung StreetCauseway BayHong Kong


About nCipher SecuritynCipher Security, an Entrust Datacard company, is a leader in the general-purpose hardware security module (HSM)market, empowering world-leading organizations by delivering trust, integrity and control to their business criticalinformation and applications. Today’s fast-moving digital environment enhances customer satisfaction, gives competitiveadvantage and improves operational efficiency – it also multiplies the security risks. Our cryptographic solutions secureemerging technologies such as cloud, IoT, blockchain, and digital payments and help meet new compliance mandates.We do this using our same proven technology that global organizations depend on today to protect against threats totheir sensitive data, network communications and enterprise infrastructure. We deliver trust for your business criticalapplications, ensure the integrity of your data and put you in complete control – today, tomorrow, always.www.ncipher.com

https://www.ncipher.com/

Microsoft SQL Server 2016 Always Encrypted · Page 6 of 52 Microsoft SQL Server 2016 Always...

Documents

Transcript of Microsoft SQL Server 2016 Always Encrypted · Page 6 of 52 Microsoft SQL Server 2016 Always...