SQL Server 2005中数据库加密的最佳实践

时间:2021-03-19 23:44:10

I need to develop an application which stores data in a SQL Server 2005 database (the app itself will be either a WCF Service or an Asp.Net Web Service).

我需要开发一个将数据存储在SQL Server 2005数据库中的应用程序(应用程序本身将是WCF服务或Asp.Net Web服务)。

Now, this data is supremely confidential, and I need to have it stored in an encrypted form in the database.

现在,这些数据非常机密,我需要将它以加密形式存储在数据库中。

So, I am wondering what the best practices are around this. I know that there is some encryption capabilities that SQL Server has in-built. Is there a 'for dummies' type of resource for this so that I can quickly get going.

所以,我想知道最好的做法是什么。我知道SQL Server内置了一些加密功能。是否存在'for dummies'类型的资源,以便我可以快速开始。

Alternatively I was thinking that I could encrypt/decrypt in my C# code and not in the database - maybe have a layer which handles this just above the data access layer (is that a good idea)?

或者我认为我可以在我的C#代码中而不是在数据库中加密/解密 - 可能有一个层在数据访问层之上处理它(这是一个好主意)?

4 个解决方案

#1


3  

Look at this link for a good introduction with samples.

请查看此链接以获取样本的详细介绍。

I think doing the data encryption in the application is better, because in that case the transferred data is already encrypted. Otherwise you have to use a secure channel between your app and the database server.

我认为在应用程序中进行数据加密更好,因为在这种情况下传输的数据已经加密。否则,您必须在应用程序和数据库服务器之间使用安全通道。

It depends on your needs, i would say.

我会说,这取决于你的需求。

#2


1  

Have you considered encrypting your data at the file-system level?

您是否考虑过在文件系统级加密数据?

It's Windows 2008/Vista only, but it should give you what you need and it's what it's designed for.

它只是Windows 2008 / Vista,但它应该为您提供所需的功能,它就是它的设计目标。

#3


0  

Before you decide on an encryption method, you need to access what parts of the system are vulnerable. If the potential for unauthorized access to the database exists, does the same threat exist for your application? Someone could run your code through Reflector and determine what methods were being used to encrypt and decrypt. You can mitigate that exposure to some extent with the code obsfucators. If that concern is not a risk, then you may find it easier to encrypt your data at the application level.

在决定加密方法之前,您需要访问系统的哪些部分易受攻击。如果存在未经授权访问数据库的可能性,您的应用程序是否存在相同的威胁?有人可以通过Reflector运行您的代码,并确定用于加密和解密的方法。您可以使用代码阻塞器在某种程度上减轻这种暴露。如果这种担忧不存在风险,那么您可能会发现在应用程序级别加密数据更容易。

#4


0  

Encryption needs to happen in a few different places depending on the application. For example a consumer site using credit card info needs to encrypt the connection over the network to prevent man in the middle attacks or snooping. when the data is stored in the database you need to encrypt the data so that a low level sales rep cant read and access the customers credit card info , in which you might want to implement column level encryption as appropriate permission in addition to this if your worried that one day the janitor at your data centre might steal one of your backups then you need TDE implement to encrypt data at the disk level.

加密需要在几个不同的地方进行,具体取决于应用程序。例如,使用信用卡信息的消费者站点需要通过网络加密连接,以防止中间人攻击或窥探。当数据存储在数据库中时,您需要对数据进行加密,以便低级别的销售代表可以读取并访问客户的信用卡信息,在此信息中您可能希望实现列级加密作为适当的权限,除此之外如果您的担心有一天你的数据中心的看门人可能偷了你的一个备份然后你需要TDE工具来加密磁盘级别的数据。

Encryption has a performance overhead esp with regard to CPU usage more importantly the overhead depends on the alogrithim being used for exncryption.

加密在CPU使用方面具有性能开销esp,更重要的是,开销取决于用于解密的alogrithim。

#1


3  

Look at this link for a good introduction with samples.

请查看此链接以获取样本的详细介绍。

I think doing the data encryption in the application is better, because in that case the transferred data is already encrypted. Otherwise you have to use a secure channel between your app and the database server.

我认为在应用程序中进行数据加密更好,因为在这种情况下传输的数据已经加密。否则,您必须在应用程序和数据库服务器之间使用安全通道。

It depends on your needs, i would say.

我会说,这取决于你的需求。

#2


1  

Have you considered encrypting your data at the file-system level?

您是否考虑过在文件系统级加密数据?

It's Windows 2008/Vista only, but it should give you what you need and it's what it's designed for.

它只是Windows 2008 / Vista,但它应该为您提供所需的功能,它就是它的设计目标。

#3


0  

Before you decide on an encryption method, you need to access what parts of the system are vulnerable. If the potential for unauthorized access to the database exists, does the same threat exist for your application? Someone could run your code through Reflector and determine what methods were being used to encrypt and decrypt. You can mitigate that exposure to some extent with the code obsfucators. If that concern is not a risk, then you may find it easier to encrypt your data at the application level.

在决定加密方法之前,您需要访问系统的哪些部分易受攻击。如果存在未经授权访问数据库的可能性,您的应用程序是否存在相同的威胁?有人可以通过Reflector运行您的代码,并确定用于加密和解密的方法。您可以使用代码阻塞器在某种程度上减轻这种暴露。如果这种担忧不存在风险,那么您可能会发现在应用程序级别加密数据更容易。

#4


0  

Encryption needs to happen in a few different places depending on the application. For example a consumer site using credit card info needs to encrypt the connection over the network to prevent man in the middle attacks or snooping. when the data is stored in the database you need to encrypt the data so that a low level sales rep cant read and access the customers credit card info , in which you might want to implement column level encryption as appropriate permission in addition to this if your worried that one day the janitor at your data centre might steal one of your backups then you need TDE implement to encrypt data at the disk level.

加密需要在几个不同的地方进行,具体取决于应用程序。例如,使用信用卡信息的消费者站点需要通过网络加密连接,以防止中间人攻击或窥探。当数据存储在数据库中时,您需要对数据进行加密,以便低级别的销售代表可以读取并访问客户的信用卡信息,在此信息中您可能希望实现列级加密作为适当的权限,除此之外如果您的担心有一天你的数据中心的看门人可能偷了你的一个备份然后你需要TDE工具来加密磁盘级别的数据。

Encryption has a performance overhead esp with regard to CPU usage more importantly the overhead depends on the alogrithim being used for exncryption.

加密在CPU使用方面具有性能开销esp,更重要的是,开销取决于用于解密的alogrithim。