sql server中列级透明数据加密

Question

我的问题很简单。对于客户，我需要提供列级透明数据加密。这意味着应用程序代码无论如何都不会发生变化。 Oracle提供了此功能。 Sql server有两种模式TDE和列级别，它们不是TDE，需要在应用程序级别进行更改。我无法接受为客户提供Oracle样式列级TDE的挑战。任何建议都将不胜感激。

Answer 1

肯定可以解决这个挑战，因为您可以使用而不是触发器为插入和更新操作创建视图。删除无需添加触发器即可工作。您需要重新设计触发器以满足您的需求。我设计了一个例子：

use master
go
create database EncryptedData
go
use EncryptedData
create master key encryption by password='P@ssw0rd!'

create certificate KeyProtection with subject='Key Protection'

create symmetric key ColumnKey 
    with algorithm=AES_256 
    encryption by certificate KeyProtection

create table SecretMessages(Ciphertext varbinary(4000))
go
create view dbo.MessageRecords 
as
select 
    cast(DECRYPTBYKEYAUTOCERT( cert_id('KeyProtection'), null,Ciphertext) as varchar(max)) MessageRecord
from dbo.SecretMessages
go 

open symmetric key ColumnKey decryption by certificate KeyProtection

insert into SecretMessages(Ciphertext) values (ENCRYPTBYKEY(key_guid('ColumnKey'),'Hello world 1'))
insert into SecretMessages(Ciphertext) values (ENCRYPTBYKEY(key_guid('ColumnKey'),'Hello world 2'))
insert into SecretMessages(Ciphertext) values (ENCRYPTBYKEY(key_guid('ColumnKey'),'Hello world 3'))
insert into SecretMessages(Ciphertext) values (ENCRYPTBYKEY(key_guid('ColumnKey'),'Hello world 4'))
insert into SecretMessages(Ciphertext) values (ENCRYPTBYKEY(key_guid('ColumnKey'),'Hello world 5'))
close symmetric key ColumnKey


select * from MessageRecords 
go
create TRIGGER InsMessageRecordsTrg on MessageRecords
INSTEAD OF INSERT
AS
BEGIN

open symmetric key ColumnKey decryption by certificate KeyProtection
INSERT INTO SecretMessages
   SELECT (ENCRYPTBYKEY(key_guid('ColumnKey'),MessageRecord))
   FROM inserted
close symmetric key ColumnKey
END
go
create TRIGGER UpdMessageRecordsTrg on MessageRecords
INSTEAD OF update
AS
BEGIN
IF (UPDATE(MessageRecord)) -- If qualification is updated
BEGIN
    open symmetric key ColumnKey decryption by certificate KeyProtection
    update s
        set Ciphertext=ENCRYPTBYKEY(key_guid('ColumnKey'),i.MessageRecord)
    from SecretMessages s
    join deleted d
        on
        cast(DECRYPTBYKEYAUTOCERT( cert_id('KeyProtection'), null,Ciphertext) as varchar(max)) = d.MessageRecord
    cross join inserted i
    close symmetric key ColumnKey
END
end
go
insert into MessageRecords(MessageRecord) values ('Goodbye cruel world')


select * from MessageRecords 

update MessageRecords set MessageRecord='My new message2' where MessageRecord='Hello world 2'

delete from dbo.MessageRecords where MessageRecord='Hello world 3'

select * from MessageRecords 

use master 
go
drop database EncryptedData