My project has a requirement to encrypt a sensitive field column in SQL server table but the encryption/decryption key shall be kept outside SQL environment to ensure maximum data security. Thycotic server is one secret server to store and secure passwords. I am trying a POC to check if encryption key can be generated via Secret server and can be used to encrypt table column in SQL server. I haven't found much related to this on the Thycotic website or on google. How can this be achieved if feasible?
Asked
Active
Viewed 80 times
0
-
This is basically the scenario [Always Encrypted](https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-database-engine) is designed to tackle. You can use this with a third-party key store as long as the vendor has an implementation for the CNG API; most commonly it's used with the integrated keystore of Windows itself, or Azure. [See also](https://learn.microsoft.com/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted). – Jeroen Mostert Feb 19 '21 at 11:20
-
Thanks @JeroenMostert for responding!! Is CNG API similar to Extensible Key management which will again be an added installation of the provider to store keys?Does Thycotic server provide any such encryption facility? – Meenal Rajput Feb 19 '21 at 11:50
-
1Yes, EKM is a CNG feature. I have no experience with Thycotic whatsoever; this sounds like the sort of question their customer support should love. – Jeroen Mostert Feb 19 '21 at 12:07
-
I checked with Thycotic team and got to know such functionality won't be feasible. That means either Always encryption with Azure key vault OR EKM would work to store encryption/decryption keys separate from SQL environment. And both of these methods will demand investment from organization. By any chance, do you know which would be cost effective and have less retrictions/limitations with .NET application – Meenal Rajput Feb 19 '21 at 12:56