go-mssqldb icon indicating copy to clipboard operation
go-mssqldb copied to clipboard

Published 20 hours ago verified publisher icon denisenkom

feature: enable column encryption at the TDS level

Open simenfd opened this issue 7 years ago • 6 comments

This might not be an issue, as much as it is a missing feature:

It seems like sql server has a feature called "always encrypted" which can be enabled by writing "Column Encryption Setting=enabled;" in the connection string. The idea is that the driver pulls some keys from a certificate and automatically decrypts the encrypted columns. Currently, this is not working with this driver.

simenfd avatar May 24 '17 09:05 simenfd

@simenfd Can you link to official docs in the TDS documentation?

kardianos avatar May 24 '17 20:05 kardianos

They use AES-256 with CBC and HMAC with SHA-512 for column encryption. The latest version of TDS spec is https://msdn.microsoft.com/en-us/library/dd304523.aspx FEATUREEXTACK message is used for column encryption feature activation and version, and COLMETADATA is extended with keys.

dimdin avatar May 24 '17 20:05 dimdin

parameter "Column Encryption Setting=enabled" is woking?

package main

import ( "context" "database/sql" "fmt" "log"

_ "github.com/denisenkom/go-mssqldb"

)

var db *sql.DB

var server = "<Server Name>" var port = 1433 var user = "sa" var password = "<>" var database = "<Database name>"

// Always Encrypted var alwaysencrypted = "enabled"

func main() { connString := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%d;database=%s;Column Encryption Setting=%s;", server, user, password, port, database, alwaysencrypted)

//fmt.Printf(connString)

var err error

db, err = sql.Open("sqlserver", connString)
if err != nil {
	log.Fatal("Error creating connection pool:", err.Error())
}
fmt.Printf("Connected!\n")

count, err := ReadaeTest1()
fmt.Printf("Read %d rows successfully.\n", count)

}

func ReadaeTest1() (int, error) { ctx := context.Background()

err := db.PingContext(ctx)
if err != nil {
	log.Fatal("Error pinging database: " + err.Error())
}

tsql := fmt.Sprintf("SELECT colA, colB, colC FROM aeTestDB.dbo.aeTest1;")

// QLクエリの実行
rows, err := db.QueryContext(ctx, tsql)
if err != nil {
	log.Fatal("Error reading rows: " + err.Error())
	return -1, err
}

defer rows.Close()

var count int = 0

// リザルトループ
for rows.Next() {
	var colA int
	var colB, colC string

	err := rows.Scan(&colA, &colB, &colC)
	if err != nil {
		log.Fatal("Error reading rows: " + err.Error())
		return -1, err
	}

	fmt.Printf("colA: %d, colB: %s, colC: %s\n", colA, colB, colC)
	count++
}

return count, nil

}

yang-jiayi avatar Jun 21 '18 06:06 yang-jiayi

Any update on adding support for Column Level Encryption to tds.go? thanks!

rcscoggin avatar Jul 10 '19 18:07 rcscoggin

Hello everyone, this feature is now implemented (check the related PR). At the moment only support for decryption is available though.

cc/ @rcscoggin , @simenfd

denysvitali avatar Feb 09 '21 16:02 denysvitali

I've started a more extensive AE implementation in the Microsoft fork and welcome feedback. We're starting with decryption using local certs or Azure Key Vault then expanding to encryption. https://github.com/microsoft/go-mssqldb/pull/116

shueybubbles avatar Jun 09 '23 22:06 shueybubbles