|
| 1 | + |
| 2 | + |
| 3 | +# Always Encrypted with secure enclaves in SQL Server without attestation - Demos |
| 4 | + |
| 5 | +The demos in this folder showcase [Always Encrypted with secure enclaves](https://docs.microsoft.com/azure/azure-sql/database/always-encrypted-with-secure-enclaves-landing) in SQL Server. The demos use the Contoso HR web application. |
| 6 | + |
| 7 | +### Contents |
| 8 | + |
| 9 | +[About this sample](#about-this-sample)<br/> |
| 10 | +[Before you begin](#before-you-begin)<br/> |
| 11 | +[Setup](#setup)<br/> |
| 12 | +[Prepare for the demo](#prepare-for-the-demo)<br/> |
| 13 | +[Demo steps](#demo-steps)<br/> |
| 14 | +[Key takeaways](#key-takeaways)<br/> |
| 15 | +[Reset the demo](#reset-the-demo)<br/> |
| 16 | + |
| 17 | +## About this sample |
| 18 | + |
| 19 | +- **Applies to:** SQL Server 2019 or later |
| 20 | +- **Key features:** Always Encrypted with secure enclaves |
| 21 | +- **Workload:** Human resources (HR) application |
| 22 | +- **Programming Language:** C#, Transact-SQL |
| 23 | +- **Authors:** Jakub Szymaszek, Pieter Vanhove |
| 24 | +- **Update history:** |
| 25 | + |
| 26 | +## Before you begin |
| 27 | + |
| 28 | +You need one machine (it can be a virtual machine) that runs SQL Server. It must meet the [SQL Server computer requirements](https://docs.microsoft.com/sql/relational-databases/security/tutorial-getting-started-with-always-encrypted-enclaves?#sql-server-computer-requirements). In addition, you will need to install Visual Studio 2022 or later, to compile and run the sample web application. Secondly, make sure you have installed SQL Server Management Studio 19 or later. |
| 29 | + |
| 30 | +## Setup |
| 31 | + |
| 32 | +This section describes the initial setup steps. |
| 33 | + |
| 34 | +1. Enable virtualization-based security (VBS) on the machine and Always Encrypted with secure enclaves in your SQL Server instance following Steps 1-2 in [Tutorial: Getting started with Always Encrypted with secure enclaves in SQL Server](https://docs.microsoft.com/en-us/sql/relational-databases/security/tutorial-getting-started-with-always-encrypted-enclaves). |
| 35 | +1. Import the **ContosoHR** demo database. |
| 36 | + 1. Clone/Download the repository. |
| 37 | + 1. Open SSMS and connect to your SQL Server instance. |
| 38 | + 1. In SSMS, right-click on **Databases** in Object Explorer and select **Import Data-tier Application...**. |
| 39 | + 1. Locate the **ContosoHR** bacpac file the **/setup** folder. |
| 40 | + 1. Complete the steps of the wizard to import the **ContosoHR** database. |
| 41 | +1. Configure the Contoso HR web application |
| 42 | + 1. Start Visual Studio and open the **ContosoHR** solution file located in **../source**. |
| 43 | + 1. Using Solution Explorer, locate and open the **appsettings.json** file under the **ContosoHR** project. |
| 44 | + 1. Look for the line that contains the database connection string for the web application. The line should look like this: |
| 45 | + ```json |
| 46 | + "ContosoHRDatabase": "Server=tcp:<yourservername>.database.windows.net;Database=ContosoHR;Column Encryption Setting=Enabled; Attestation Protocol = AAS; Enclave Attestation Url=<yourattestationurl>; Authentication=Active Directory Managed Identity" |
| 47 | + ``` |
| 48 | + replace it with |
| 49 | + |
| 50 | + ```json |
| 51 | + "ContosoHRDatabase": "Data Source=.;Initial Catalog=ContosoHR;Column Encryption Setting=Enabled;Attestation Protocol=None;Integrated Security=true" |
| 52 | + ``` |
| 53 | + |
| 54 | + 1. Make sure the value of the **Data Source** keyword in the database connection string correctly identifies your SQL Server instance. |
| 55 | + 1. The **Attestation Protocol** should be set to **None**. |
| 56 | + 1. Save the file. |
| 57 | + |
| 58 | +1. In Visual Studio, select **Build**>**Build Solution** to build the demo application. |
| 59 | + |
| 60 | +## Prepare for the demo |
| 61 | + |
| 62 | +This section describes the steps you should execute before each demo presentation. |
| 63 | + |
| 64 | +During the demo, you will use two instances of SSMS: |
| 65 | + |
| 66 | +- DBA's instance - when using it, you will assume the role of a DBA. |
| 67 | +- Security Administrator's instance - when using it, you will assume the role of a Security Administrator, who configures Always Encrypted in the database. |
| 68 | + |
| 69 | +Perform the below steps before you show the demo. |
| 70 | + |
| 71 | +1. Close all running SSMS instances. |
| 72 | +1. Prepare DBA's instance of SSMS. |
| 73 | + 1. Start SSMS. |
| 74 | + 1. In the **Connect to Server** dialog: |
| 75 | + 1. In the main page of the dialog, enter your database server name. For example, enter `.` to connect to the default instance on the local machine. Set your authentication parameters. |
| 76 | + 1. Click the **Options >>** button, select the **Connection Properties** tab and enter the database name (**ContosoHR**). |
| 77 | + |
| 78 | +  |
| 79 | + |
| 80 | + 1. Select the **Always Encrypted** tab. Make sure the **Enable Always Encrypted** checkbox is **not** selected. |
| 81 | + |
| 82 | +  |
| 83 | + |
| 84 | + 1. Click Connect. |
| 85 | + 1. Configure an extended event session to intercept application's queries. |
| 86 | + 1. Click Ctrl + O. In the **Open File** dialog, navigate to the **tsql-scripts** folder and select ***CreateXESession.sql**. Click **F5** to execute the query. |
| 87 | + 1. In Object Explorer, locate the newly created **Demo** extended event session - under your server, go to **Management/Extended Events/Sessions**. |
| 88 | + 1. Righ-click the **Demo** session and select **Watch Live Data**. This will open the **Demo Live Data** window. |
| 89 | + |
| 90 | +  |
| 91 | + |
| 92 | + 1. Close the tab with the ***CreateXESession.sql** query. |
| 93 | + 1. Prepare the query windows for the demo. |
| 94 | + 1. With the **ContosoHR** database selected in Object Explorer, click Ctrl + O. In the **Open File** dialog, navigate to the **tsql-scripts** folder and select **ListAllEmployees.sql**. Do not execute the query yet. |
| 95 | +1. Prepare Security Administrator's instance of SSMS. |
| 96 | + 1. Start SSMS. |
| 97 | + 1. In the **Connect to Server** dialog: |
| 98 | + 1. In the main page of the dialog, enter your database server name. For example, enter `.` to connect to the default instance on the local machine. Set your authentication parameters. |
| 99 | + 1. Click the **Options >>** button, select the **Connection Properties** tab and enter the database name (**ContosoHR**). |
| 100 | + |
| 101 | +  |
| 102 | + |
| 103 | + 1. Select the **Always Encrypted** tab. Make sure the **Enable Always Encrypted** and the **Enable secure enclaves** checkbox are selected. Set the Enclave attestation Protocol to **None**. |
| 104 | + |
| 105 | +  |
| 106 | + |
| 107 | + 1. Click Connect. |
| 108 | + 1. Configure query windows. |
| 109 | + 1. In Object Explorer, find and select the **ContosoHR** database. |
| 110 | + |
| 111 | +  |
| 112 | + |
| 113 | + 1. With the **ContosoHR** database selected, click Ctrl + O. In the **Open File** dialog, navigate to the **tsql-scripts** folder and select **EncryptColumns.sql**. Do not execute the query yet. |
| 114 | +1. Run the web application |
| 115 | + 1. Open the **ContosoHR** solution, located in **../source**, in Visual Studio. |
| 116 | + 1. Click **F5** to run the solution. The Contoso HR web application should open in a browser window. |
| 117 | + |
| 118 | +  |
| 119 | + |
| 120 | +## Demo steps |
| 121 | + |
| 122 | +1. Show the Contoso HR web app in the browser. This application displays employee records and allows you to filter employees by salary or by a portion of the social security number (SSN). Move the salary slider and enter a couple of digits in the search box to filter by salary and SSN. You can also click on the **Ssn** or **Salary** headers to sort by SSN or salary. |
| 123 | + |
| 124 | +  |
| 125 | + |
| 126 | +1. Switch to DBA's instance of SSMS, select the **ListAllEmployees.sql** tab and click **F5** to execute the query, which shows the content of the **Employees** table, the web application uses as a data store. As a DBA, you can view all sensitive information about employees, including the data stored in the **SSN** and **Salary** columns. A malicious DBA could easily exfiltrate the data by running a simple query like this one. |
| 127 | + |
| 128 | +  |
| 129 | + |
| 130 | +1. Inspect the queries the demo application has sent to the database. |
| 131 | + 1. Select the **Demo Live Data** window, which should contain a table with some events your demo application triggered. |
| 132 | + 1. If the table does not contain the **statement** column, right click on the header of the table and select **Choose Columns...**. Move **statement** to **Selected columns** and click **OK**. |
| 133 | + |
| 134 | +  |
| 135 | + |
| 136 | + 1. Double click on the statement column in the last row of the table to see the last query the application sent to the database. Inspect the query statement. Note that the query contains the **WHERE** clause with rich computations on encrypted columns: pattern matching using the **LIKE** predicate on the **SSN** column and the range comparison on the **Salary** column. The query also sorts records (the **ORDER BY** clause) by **SSN** or **Salary**. |
| 137 | + 1. Locate the value of query parameters: **@SSNSearchPattern**, **@MinSalary**, **@MaxSalary**. Note that the values of the parameters are in plaintext, as the columns, the parameters correspond to, are not encrypted. |
| 138 | + |
| 139 | +  |
| 140 | + |
| 141 | + 1. Click **OK** to close the statement window. |
| 142 | + |
| 143 | +1. As a Security Administrator, provision a column master key for Always Encrypted. |
| 144 | + 1. In Object Explorer of the Security Administrator's instance of SSMS, expand the node of the **ContosoHR** database and navigate to **Security/ Always Encrypted Keys/Column Master Keys**. |
| 145 | + 1. Right-click on the **Column Master Keys** folder and select **New Column Master Key…**. |
| 146 | +  |
| 147 | + 1. Enter a column master key name: **CMK1**. |
| 148 | + 1. Select **Windows Certificate Store - Current User**. |
| 149 | + 1. Make sure **Allow enclave computations** is selected. |
| 150 | +  |
| 151 | + 1. Click **Generate Certificate** to create a new certificate to be used as a column master key. |
| 152 | + 1. Click **OK**. |
| 153 | +1. As a Security Administrator, provision a column encryption key for Always Encrypted. |
| 154 | + 1. In Object Explorer of the Security Administrator's instance of SSMS, expand the node of the **ContosoHR** database and navigate to **Security/ Always Encrypted Keys/Column Encryption Keys**. |
| 155 | + 1. Right-click on the **Column Encryption Keys** folder and select **New Column Encryption Key…**. |
| 156 | + 1. Enter a column encryption key name: **CEK1**. |
| 157 | + 1. Select **CMK1** as the column master key to protect your new column encryption key. |
| 158 | + 1. Click **OK**. |
| 159 | +1. As a Security Administrator, encrypt the **SSN** and **Salary** columns in place, using the secure enclave. |
| 160 | + 1. In Security Administrator's instance of SSMS, select the **EncryptColumns.sql** tab and click **F5** to execute the query. |
| 161 | +1. Switch back to DBA's instance of SSMS, select the **ListAllEmployees.sql** tab and click **F5** to execute the query again. Now the query should show the encrypted data in the **SSN** and **Salary** columns. As both columns are encrypted, the DBA cannot see the data in plaintext. |
| 162 | + |
| 163 | +  |
| 164 | + |
| 165 | +1. In the web browser containing the web app, move the slider to reset the filter for salary and then re-enter a few digits of an SSN. Confirm the application still can filter employee records by salary and SSN. |
| 166 | + |
| 167 | +1. Inspect the queries the demo application sends to the database, after encrypting the columns. |
| 168 | + 1. In DBA's instance of SSMS, select the **Demo Live Data** window, which should contain a table with some events your demo application triggered. |
| 169 | + |
| 170 | + 1. Double click on the statement column in the last row of the table to see the last query the application sent to the database. Inspect the query statement. Note that the query statement the query sends to the database has not changed - it still contains pattern matching using the **LIKE** predicate on the **SSN** column and the range comparison on the **Salary** column, as well as sorting (the **ORDER BY** clause) by **SSN** or **Salary**. |
| 171 | + 1. Locate the value of query parameters: **@SSNSearchPattern**, **@MinSalary**, **@MaxSalary**. Note that the values of the parameters are now encrypted – the client driver inside the web app transparently encrypts parameters corresponding to encrypted columns, before sending the query to the database. Not only does not the DBA have access to sensitive data in the database, but the DBA cannot see the plaintext values of query parameters used to process that data either. |
| 172 | + |
| 173 | +  |
| 174 | + |
| 175 | + 1. Click **OK** to close the statement window. |
| 176 | + |
| 177 | +## Key takeaways |
| 178 | + |
| 179 | +Secure enclaves make it possible to encrypt sensitive data columns in-place, eliminating a need to move the data outside of the database for cryptographic operations. |
| 180 | + |
| 181 | +The unique benefit of Always Encrypted with secure enclaves is that it allows you to protect your sensitive data from high-privilege users, including DBAs in your organization, and, after you encrypt your data to protect it, your applications can continue running rich queries on encrypted columns. |
| 182 | + |
| 183 | +## Reset the demo |
| 184 | + |
| 185 | +In Security Administrator's instance of SSMS: |
| 186 | + |
| 187 | +1. Open and execute **tsql-scripts/DecryptColumns.sql**. |
| 188 | +1. Open and execute **tsql-scripts/DropKeys.sql**. |
| 189 | +1. Close both SSMS windows. |
0 commit comments