SQL Always Encrypted CMK证书存储最佳实践 [英] SQL Always encrypted CMK certificate storage best practice
问题描述
我正在将SQL Always Encrypted(SQL始终加密)发布到我们的数据库中,并且正在查询有关存储CMK证书的最佳实践方法。
I am in the process of rolling out SQL Always Encrypted to our Databases and have a query about the Best practice approach to storing the certificate for the CMK.
我们在Windows Server 2016主机上托管.Net Web应用,每个应用都有一个单独的AD服务帐户(SA)作为其应用程序池ID。我们在单独的服务器上有一个SQL Server实例。这种方法使我们能够隔离和限制每个应用程序对数据库的访问,并且运行良好。
We have .Net web applictions hosted on a Windows server 2016 box, which each have a distinct AD service account (SA) assigned as their Application Pool ID. We have a SQL server instance on a separate server. This approach allows us to segregate and restrict access per application to the database and is working well.
我不想将CMK证书导入到本地计算机Windows证书存储中,因为这意味着服务器上的所有用户(主要是服务器管理员)将拥有对证书的访问,从而具有解密数据库中数据的能力。
I don't want to import the CMK cert to the local machine Windows Certificate store, as that would mean all users on the server, primarily the server admins, would have the access to the cert and thus the ability to decrypt the data in the database.
我目前已以SA身份登录到服务器,并在本地用户下安装了证书。这是我能想到的最安全的选项,因为SA仅能够解密信息,这意味着只有应用程序可以解密数据,而其他用户则不能。但是,我遇到的问题是SA似乎需要一直登录到服务器,这不是一个可行的长期解决方案(如果重新启动服务器,则该帐户将被注销,并且我的应用程序将失败)
I have currently signed on to the server as the SA and installed the cert under local user. This is the most secure option I can think of, as ONLY the SA is able to decrypt the information, which in turn means only the Application can decrypt the data and no other users can. The issue I'm facing with this approach however is the SA seemingly needs to be logged in to the server all the time, which isn't a feasible long term solution (if the server gets rebooted, the account will be logged off and my application will fail)
是否有人找到关于安全存储CMK最佳位置的官方Microsoft指南?
Has anyone found any official Microsoft Guidance on where the best place to store the CMK securely is?
非常感谢
推荐答案
我建议使用 Azure Key Vault 作为您的 Keystore Provider(集中式密钥库),这将是最安全的密钥存储方式。
I'd recommend using the Azure Key Vault as your Keystore Provider(Centralized Key Stores), which will be the most secure way to store your Key's.
按此操作,
集中密钥库-在多台计算机上提供应用程序。集中式密钥存储区的
示例是Azure Key Vault。
集中式密钥存储区通常使密钥管理更容易,因为您不需要
来在多台
机器上维护列主密钥的多个副本。您需要确保将您的应用程序配置为
连接到集中式密钥存储区
Centralized Key Stores - serve applications on multiple computers. An example of a centralized key store is Azure Key Vault. A centralized key store usually makes key management easier because you don't need to maintain multiple copies of your column master keys on multiple machines. You need to ensure that your applications are configured to connect to the centralized key store
走远集中化密钥存储区
So go far Cnetralized Key Stores
您可以轻松地通过Azure密钥中的访问策略管理用户/应用程序保管箱。
这篇关于SQL Always Encrypted CMK证书存储最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
