SQL Server 2016 - Always Encrypted

Question

do i have to secure the column master encryption key at client side, so that nobody can read it? Is it correct that when somebody has the column and master encryption key data can be decrypted by an attacker?

Regards

Answer 1

Your understanding is correct, roughly speaking, Always Encrypted provides the following security guarantee, Plaintext data will only be visible to entities that have access to the ColumnMasterKey (Certificate). So you would have to ensure that your CMK is only accessible by trusted entities. Also, the best practice is to have the client application and database on separate machines.

I have provided a short detailed explanation regarding the security guarantee provided by Always Encrypted here. You might find this useful. If you have additional questions, please leave a comment and I will try by best to help

Answer 2

do i have to secure ... so that nobody can read it

This statement can never be true. If the application needs to read a secret (the key), then so can an administrator on the site. If you have an application running at a client side, there is nothing you can do to prevent a determined client from finding the key. Ditto for an attacker that has compromised the location.

Always Encrypted scenario is for applications that do not trust their service hosting (think Azure SQL Database). The application has the key and can manipulate the data, and the data travels to the hosting service and is stored encrypted. The hosting service cannot decrypt your data. All this is the starting paragraph describing the feature:

Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national identification numbers (e.g. U.S. social security numbers), stored in Azure SQL Database or SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine ( SQL Database or SQL Server). As a result, Always Encrypted provides a separation between those who own the data (and can view it) and those who manage the data (but should have no access). By ensuring on-premises database administrators, cloud database operators, or other high-privileged, but unauthorized users, cannot access the encrypted data, Always Encrypted enables customers to confidently store sensitive data outside of their direct control. This allows organizations to encrypt data at rest and in use for storage in Azure, to enable delegation of on-premises database administration to third parties, or to reduce security clearance requirements for their own DBA staff.