0

I've got on the same computer (Win server 2012 R2 Datacenter) a web app being built on ASP.NET and a SQL Server 2017. Goal is to secure sensitive data on the database in case someone gains access to this computer. I've used Always Encrypted feature to encrypt columns with sensitive data and the according certificate is being stored to the \Certificates(Local Computer)\Personal\Certificates location.

Is there a way to prevent (password protect for example) an active windows user to access this certificate and export it?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
DrMad
  • 11
  • 1
  • Since the application that obtains the unencrypted text is on the same machine as the database, apparently, you cannot achieve any meaningful protection in the event that that machine is compromised. – Damien_The_Unbeliever Dec 13 '18 at 07:14
  • And if you are afraid that the certificate can be exported, do not make it exportable. When import it on the server, make sure `Make this key as exportable.` checkbox is not selected (in case you import it using the wizard), or `-Exportable` is not specified (in case you import it with `Install-Certificate` PowerShell cmdlet). – Andrey Nikolov Dec 13 '18 at 07:50

1 Answers1

1

To achieve your goal "to secure sensitive data on the database in case someone gains access to this computer" you should not consider keeping your certificate in the same machine (or) server.

You need to maintain the certificate in a Centralized Key Stores like Azure Key Vault

Please see my detailed answer here

Jayendran
  • 9,638
  • 8
  • 60
  • 103