go-mssqldb icon indicating copy to clipboard operation
go-mssqldb copied to clipboard

Published 20 hours ago verified publisher icon denisenkom

feat: add Always Encrypted support

Open denysvitali opened this issue 3 years ago • 7 comments

This commit adds partial support for the Microsoft SQL "Always Encrypted" feature (basically, E2E encryption).

The current implementation is to be consider a preview since it might not be perfectly implemented.

Supported features:

  • PFX "keystore"
  • Seamless encryption

Missing features:

  • Support for Private Keys that are not RSA
  • Encryption support (only Decryption is possible at the moment)

The most probably needs to be improved a bit, but so far it's working for some of the use cases that I needed it for.

Feel free to test the feature and open an issue if you find any problem: my goal is to have enough testers to spot eventual bugs.

Fixes #265

denysvitali avatar Feb 09 '21 16:02 denysvitali

Thanks for the review! I'll try to find the time to improve the PR

denysvitali avatar Jul 08 '21 16:07 denysvitali

any idea how to Insert or update the encrypted data?

lokmannicholas avatar Sep 16 '22 17:09 lokmannicholas

@denysvitali are you interested in re-homing this PR in our fork? https://github.com/microsoft/go-mssqldb

shueybubbles avatar Apr 04 '23 16:04 shueybubbles

Sure!

denysvitali avatar Apr 04 '23 16:04 denysvitali

I've started a more extensive AE implementation in the Microsoft fork and welcome feedback. We're starting with decryption using local certs or Azure Key Vault then expanding to encryption. https://github.com/microsoft/go-mssqldb/pull/116

shueybubbles avatar Jun 09 '23 22:06 shueybubbles

@denysvitali @kardianos Does go-mssqldb have an equivalent function for converting the []namedValue slice to a comma delimited string like .Net at https://github.com/dotnet/SqlClient/blob/2b31810ce69b88d707450e2059ee8fbde63f774f/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlCommand.cs#L6150 ? For encrypting parameters I need to build a query to sp_describe_parameter_encryption which has the list of named parameters and their types like this.

exec sp_describe_parameter_encryption N'DECLARE @c1 AS NCHAR (10) = @p3ee82b8b457c44498ce61053237ba60e;
DECLARE @c2 AS INT = @p643017f69684494b9143f6de7c9078b1;
INSERT  INTO Table_1
VALUES (@c1, @c2);
',N'@p3ee82b8b457c44498ce61053237ba60e nchar(10),@p643017f69684494b9143f6de7c9078b1 int'

shueybubbles avatar Jun 16 '23 15:06 shueybubbles

@denysvitali I've got a PR for both encryption and decryption in the Microsoft fork at https://github.com/microsoft/go-mssqldb/pull/116. It handles both pfx files and the windows certificate store, though I haven't yet written test automation for the E2E of the pfx file-based operations. I welcome folks like you to grab that branch and try out your scenarios and to give input on the PR.

shueybubbles avatar Jul 11 '23 22:07 shueybubbles