RE: Encrypted storage

["Singh, Yashpal" <ysingh () ipolicynet com>]

Hi,

We are using a third party encryption-decryption dll for securing the credit card numbers.

Circumstances
1. We need to secure only 2 columns in the table and that too with a third party dll.
2. No other special circumstances.

Performance Hit
1. The DLL get loaded into SQL Server's memory. U need to take care of releasing it. (This is not a major issue)

2. The query execution time is bit slower which is obvious because now you will execute a function to encrypt/decrypt 
the data. (This is not a major issue because we never execute such a query in bulk. I mean we execute such a query for 
each user as and when required.)

3. So overall there is no performance hit unless the you are not releasing the dll (see step1). We got major memory 
leakage issue in production because of step1.

gotchas
1. You just need to ensure that you have right version of DLL's installed. For e.g. you have Enc1.dll for encryption 
and Dec1.dll for decryption. Any data encryption done via Enc1.dll can be decrypted via Dec1.dll.

Encrypted Communication
SSL : You can use secure socket layer for all communication between a client machine and SQL Server machine.


hope this helps,
Yash
-----Original Message-----
From: Jeffrey Koniszewski [mailto:jkoniszewski () kronos com]
Sent: Thursday, September 09, 2004 2:09 AM
To: webappsec () securityfocus com
Subject: Encrypted storage




I was wondering (because customers have asked me) whether anyone is configuring their database to store all information 
encrypted. Databases have this capability but the overhead can be so heavy that vendors don't recommend using it 
generically. Also, if most of the data is not sensitive it is a lot of work to protect small amounts of data. Is anyone 
aware of someone using this capability? Under what circumstances? What's the performance hit? What other gotchas? How 
about encrypted communication to the DB from the app server?