I am developing a new web application using .NET 3.5 and SQL Server 2008 that will need to store some Social Security Numbers. I’ve been doing some initial reading on database encryption and it’s a little bit confusing.
I would be nice to encrypt the SSNs using an asymmetric key, since that way the public facing application wouldn’t be able to retrieve any of the data once it has been encrypted. I was figuring that only the admin interface would be able to decrypt and display the data. But it sounds like SQL Server only protects data using a symmetric key?
So, what is the best way to encrypt SSNs in SQL Server 2008? Bonus points if you link to a good tutorial or two.
You really don’t want to use asymmetric encryption because it’s very slow. Rather you’ll want to protect a symmetric key with an asymmetric key, and then keep the symmetric key handy. To be honest, I would stick with what’s in SQL Server rather than designing things yourself. A really good start is here http://dotnetslackers.com/articles/sql/IntroductionToSQLServerEncryptionAndSymmetricKeyEncryptionTutorial.aspx