I need to write a web application using SQL Server 2005, asp.net, and ado.net. Much of the user data stored in this application must be encrypted (read HIPAA).
In the past for projects that required encryption, I encrypted/decrypted in the application code. However, this was generally for encrypting passwords or credit card information, so only a handful of columns in a couple tables. For this application, far more columns in several tables need to be encrypted, so I suspect pushing the encryption responsibilities into the data layer will be better performing, especially given SQL Server 2005’s native support for several encryption types. (I could be convinced otherwise if anyone has real, empirical evidence.)
I’ve consulted BOL, and I’m fairly adept at using google. So I don’t want links to online articles or MSDN documentation (its likely I’ve already read it).
One approach I’ve wrapped my head around so far is to use a symmetric key which is opened using a certificate.
So the one time setup steps are (performed by a DBA in theory):
- Create a Master Key
- Backup the Master Key to a file, burn to CD and store off site.
- Open the Master Key and create a certificate.
- Backup the certificate to a file, burn to CD and store off site.
- Create the Symmetric key with encryption algorithm of choice using the certificate.
Then anytime a stored procedure (or a human user via Management Studio) needs to access encrypted data you have to first open the symmetric key, execute any tsql statements or batches, and then close the symmetric key.
Then as far as the asp.net application is concerned, and in my case the application code’s data access layer, the data encryption is entirely transparent.
So my questions are:
-
Do I want to open, execute tsql statements/batches, and then close the symmetric key all within the sproc? The danger I see is, what if something goes wrong with the tsql execution, and code sproc execution never reaches the statement that closes the key. I assume this means the key will remain open until sql kills the SPID that sproc executed on.
-
Should I instead consider making three database calls for any given procedure I need to execute (only when encryption is necessary)? One database call to open the key, a second call to execute the sproc, and a third call to close the key. (Each call wrapped in its own try catch loop in order to maximize the odds that an open key ultimately is closed.)
-
Any considerations should I need to use client side transactions (meaning my code is the client, and initiates a transaction, executes several sprocs, and then commits the transaction assuming success)?
1) Look into using TRY..CATCH in SQL 2005. Unfortunately there is no FINALLY, so you’ll have to handle both the success and error cases individually.
2) Not necessary if (1) handles the cleanup.
3) There isn’t really a difference between client and server transactions with SQL Server. Connection.BeginTransaction() more or less executes ‘BEGIN TRANSACTION’ on the server (and System.Transactions/TransactionScope does the same, until it’s promoted to a distributed transaction). As for concerns with open/closing the key multiple times inside a transaction, I don’t know of any issues to be aware of.