Encrypt the columns (#28)

* Encrypt the columns in CI/CD
* Include a PFX backup until I can fix #30 
* Use an encrypted secret for the PFX password

Author: zippy1981

.gitignore

@@ -350,4 +350,7 @@ MigrationBackup/
 # End of https://www.gitignore.io/api/visualstudio
 
 #Docker stuff
-volumes/
+volumes/
+
+# Certificates exported by New-EncryptionKeys
+*.cer

AlwaysEncryptedSampleCMK.pfx

@@ -12,7 +12,7 @@ param(
 	[string] $AppColumnKeyName = "AppColumnsKey",
 	[string] $LogColumnKeyName = "LogColumnsKey",
     [switch] $Script,
-    [string] $LogFileDirectory = "$pwd"
+    [string] $LogFileDirectory = $pwd
 
 )
 

Invoke-EncryptColumns.ps1

@@ -7,6 +7,8 @@ param(
 	[Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string] $ConnectionString,
 	[string] $MasterKeyDNSName = "CN=Always Encrypted Sample Cert",
 	[switch] $RemoveExistingCerts,
+	[switch] $ExportCertificate,
+	[switch] $ExportCertificateKeys,
 	[string] $MasterKeySQLName = "AlwaysEncryptedSampleCMK",
 	[string] $AuthColumnKeyName = "AuthColumnsKey",
 	[string] $AppColumnKeyName = "AppColumnsKey",
@@ -26,34 +28,63 @@ catch {
 if ($RemoveExistingCerts) {
 	Write-Verbose "Removing All Existing Certificates Named $($MasterKeyDNSName)"
     $existingColumns = Get-SqlColumnEncryptionKey -InputObject $smoDatabase
-    $existingColumns | %{
+    $existingColumns | ForEach-Object {
         Remove-SqlColumnEncryptionKey -Name $_.Name -InputObject $smoDatabase
     }
     Remove-SqlColumnMasterKey -Name $MasterKeySQLName -InputObject $smoDatabase
 	Get-ChildItem Cert:\CurrentUser\My |  Where-Object subject -eq $MasterKeyDNSName | Remove-Item
 }
 
-$cert = New-SelfSignedCertificate `
-	-Subject $MasterKeyDNSName `
-	-CertStoreLocation Cert:\CurrentUser\My `
-	-KeyExportPolicy Exportable `
-    -Type DocumentEncryptionCert `
-    -KeyUsage DataEncipherment `
-    -KeySpec KeyExchange
-$cmkPath = "CurrentUser/My/$($cert.ThumbPrint)"
-Write-Verbose "Certificate Master Key Path: $($cmkPath)"
-
-# Create a SqlColumnMasterKeySettings object for your column master key. 
-$cmkSettings = New-SqlCertificateStoreColumnMasterKeySettings `
-    -CertificateStoreLocation "CurrentUser" `
-    -Thumbprint $cert.Thumbprint
-
-New-SqlColumnMasterKey -Name $MasterKeySQLName -InputObject $smoDatabase -ColumnMasterKeySettings $cmkSettings | Out-Null
-
-@($AuthColumnKeyName, $AppColumnKeyName, $LogColumnKeyName) | %{
-    New-SqlColumnEncryptionKey `
-        -InputObject $smoDatabase `
-        -ColumnMasterKey $MasterKeySQLName `
-        -Name $_ | Out-Null
+$Cert = (Get-ChildItem Cert:\CurrentUser\My |  Where-Object subject -eq 'CN=Always Encrypted Sample Cert') | Select-Object Thumbprint -First 1
+if ($Cert) {
+	Write-Verbose "Certificate `"$($MasterKeyDNSName)`" Already exists"
+}
+else {
+	Write-Host "Creating Self Signed Certificate `"$($MasterKeyDNSName)`""
+	$Cert = New-SelfSignedCertificate `
+		-Subject $MasterKeyDNSName `
+		-CertStoreLocation Cert:\CurrentUser\My `
+		-KeyExportPolicy Exportable `
+		-Type DocumentEncryptionCert `
+		-KeyUsage DataEncipherment `
+		-KeySpec KeyExchange
+	 = "CurrentUser/My/$($cert.ThumbPrint)"
+	Write-Verbose "Certificate Master Key Path: $($cmkPath)"
+}
+
+if ($ExportCertificate) {
+	Get-ChildItem Cert:\CurrentUser\My | 
+		Where-Object subject -eq "CN=Always Encrypted Sample Cert" | 
+		Export-Certificate -FilePath "$($MasterKeySQLName).cer" | Out-Null
+}
+
+if ($ExportCertificateKeys) {
+	Get-ChildItem Cert:\CurrentUser\My | 
+		Where-Object subject -eq "CN=Always Encrypted Sample Cert" | 
+		Export-PfxCertificate -FilePath "$($MasterKeySQLName).pfx" -Password (ConvertTo-SecureString -String "1234" -Force -AsPlainText) | Out-Null
+}
+
+if($smoDatabase.ColumnMasterKeys['AlwaysEncryptedSampleCMK']) {
+	Write-Warning "Master Key Reference $($MasterKeySQLName) already exists in the database."
+}
+else {
+	# Create a SqlColumnMasterKeySettings object for your column master key. 
+	$cmkSettings = New-SqlCertificateStoreColumnMasterKeySettings `
+		-CertificateStoreLocation "CurrentUser" `
+		-Thumbprint $Cert.Thumbprint
+		
+	New-SqlColumnMasterKey -Name $MasterKeySQLName -InputObject $smoDatabase -ColumnMasterKeySettings $cmkSettings | Out-Null
+}
+
+$ExistingColumnKeys = $smoDatabase.ColumnEncryptionKeys 
+@($AuthColumnKeyName, $AppColumnKeyName, $LogColumnKeyName) | ForEach-Object {
+	if ($ExistingColumnKeys[$_]) {
+		Write-Warning "Column Encryption Key already $_ exists."
+	}
+	else {
+		$smoDatabase | New-SqlColumnEncryptionKey `
+			-ColumnMasterKey $MasterKeySQLName `
+			-Name $_ | Out-Null
+	}
 }
 

New-EncryptionKeys.ps1

@@ -39,10 +39,15 @@ ALTER ROLE  db_owner
        ADD MEMBER AlwaysEncryptedOwner;
 ```
 
-Initially the columns are not encrypted. To encrypt them run the included
-`Encryption.ps1`. This script supports the `-Debug` and `-Verbose` parameters
-This will create a self signed certificate in your user script repository and
-encrypt all the appropriate columns.
+Initially the columns are not encrypted. To encrypt them run the included powershell scripts.
+These script supports the `-Debug` and `-Verbose` parameters.
+This will create a self signed certificate in your user script repository and encrypt all the appropriate columns.
+
+```PowerShell
+$ConnectionString = 'Data Source=localhost,1433;Initial Catalog=AlwaysEncryptedSample;UID=AlwaysEncryptedOwner;PWD=7aO!z@xUu!4r6EvD#D&l$sz6&h^rhxL6fzAHMpnOga@LO*WdsEdpfh4^Egtl;Application Name=AppVeyor CI Process;Column Encryption Setting=Enabled'
+.\New-EncryptionKeys.ps1 $ConnectionString -ExportCertificate
+.\Invoke-EncryptColumns.ps1 -ConnectionString $ConnectionString
+```
 
 ## Schemas
 

ReadMe.md

@@ -2,6 +2,9 @@ version: 0.1.{build}
 image: Visual Studio 2015
 install:
 - ps: $env:SQL_SERVER_BACKUP_DIRECTORY=(Get-ItemProperty "HKLM:\Software\Microsoft\Microsoft SQL Server\MSSQL13.SQL2016\MSSqlServer").BackupDirectory
+# The Visual Studio 2015 Imge doesn't have the newer version of New-SelfSignedCertificate with the paramaters I need to call.
+# For now I'm restoring a password protected pfx. Yes this is an issue for secrets management, I'll addres in the near future.
+- ps: Import-PfxCertificate -FilePath "$($env:SQL_SERVER_COLUMN_CERTIFICATE).pfx" -CertStoreLocation "Cert:\CurrentUser\My" -Password (ConvertTo-SecureString -String $env:PFX_PASSWORD -Force -AsPlainText) | Out-Null
 assembly_info:
   patch: true
   file: 'GlobalAssemblyInfo.cs'
@@ -12,15 +15,18 @@ environment:
   MSBUILD_LOG_VERSION: 2.0.94
   MSBUILD_LOG_FILE: msbuild.binlog
   NUGET_VERBOSITY: quiet
+  PFX_PASSWORD: # The decrypted value is 1234. I'm just doing this to demo secret management.
+    secure: 7/Xb2kAfb/4yKaHFokWjUA==
   SQL_SERVER_INSTANCE: (local)\SQL2016
   SQL_SERVER_USER: AlwaysEncryptedOwner
   SQL_SERVER_PASSWORD: 7aO!z@xUu!4r6EvD#D&l$sz6&h^rhxL6fzAHMpnOga@LO*WdsEdpfh4^Egtl
   SQL_SERVER_DATABASE: AlwaysEncryptedSample
   SQL_SERVER_BACKUP_FILE: $(SQL_SERVER_DATABASE).bak
   SQL_SERVER_DACPAC: $(SQL_SERVER_DATABASE).dacpac
   SQL_SERVER_GENERATED_SCHEMA: $(SQL_SERVER_DATABASE).sql
-  SQL_SERVER_CONNECTION_STRING: "Data Source=$(SQL_SERVER_INSTANCE);Initial Catalog=$(SQL_SERVER_DATABASE);UID=$(SQL_SERVER_USER);PWD=$(SQL_SERVER_PASSWORD);Application Name=AppVeyor CI Process;Column Encryption Setting=Enabled"
+  SQL_SERVER_CONNECTION_STRING: "Data Source=$(SQL_SERVER_INSTANCE);Initial Catalog=$(SQL_SERVER_DATABASE);Integrated Security=SSPI;Application Name=AppVeyor CI Process;Column Encryption Setting=Enabled"
   SQL_SERVER_VERIFICATION_LOG: $(SQL_SERVER_DATABASE).verification.log
+  SQL_SERVER_COLUMN_CERTIFICATE: AlwaysEncryptedSampleCMK
   matrix:
   - {}
 services: 
@@ -33,6 +39,10 @@ cache:
 - packages -> **\packages.config
 before_build:
 - cmd: sqlcmd -S "%SQL_SERVER_INSTANCE%" -i .\appveyor\init.sql
+# See here regarding -AboutClobber https://dba.stackexchange.com/a/174717/1817
+- ps: Install-Module sqlserver -Scope CurrentUser -AllowClobber
+- ps: .\New-EncryptionKeys.ps1 -ConnectionString $env:SQL_SERVER_CONNECTION_STRING -ExportCertificate
+- ps: .\Invoke-EncryptColumns.ps1 -ConnectionString $env:SQL_SERVER_CONNECTION_STRING
 - cmd: nuget restore -Verbosity %NUGET_VERBOSITY%
 - cmd: nuget install MSBuild.StructuredLogger -Version %MSBUILD_LOG_VERSION%  -SolutionDirectory . -Verbosity %NUGET_VERBOSITY%
 build:
@@ -59,6 +69,9 @@ artifacts:
   - path: $(SQL_SERVER_VERIFICATION_LOG)
     name: Verifiction Query Results
     type: file
+  - path: $(SQL_SERVER_COLUMN_CERTIFICATE).cer
+    name: Column Master Key Certificate
+    type: file
   - path: $(MSBUILD_LOG_FILE)
     name: MSBuild BInary Log
     type: file