go-mssqldb
go-mssqldb copied to clipboard
feat: add Always Encrypted support
This commit adds partial support for the Microsoft SQL "Always Encrypted" feature (basically, E2E encryption).
The current implementation is to be consider a preview since it might not be perfectly implemented.
Supported features:
- PFX "keystore"
- Seamless encryption
Missing features:
- Support for Private Keys that are not RSA
- Encryption support (only Decryption is possible at the moment)
The most probably needs to be improved a bit, but so far it's working for some of the use cases that I needed it for.
Feel free to test the feature and open an issue if you find any problem: my goal is to have enough testers to spot eventual bugs.
Fixes #265
Thanks for the review! I'll try to find the time to improve the PR
any idea how to Insert or update the encrypted data?
@denysvitali are you interested in re-homing this PR in our fork? https://github.com/microsoft/go-mssqldb
Sure!
I've started a more extensive AE implementation in the Microsoft fork and welcome feedback. We're starting with decryption using local certs or Azure Key Vault then expanding to encryption. https://github.com/microsoft/go-mssqldb/pull/116
@denysvitali @kardianos Does go-mssqldb have an equivalent function for converting the []namedValue
slice to a comma delimited string like .Net at https://github.com/dotnet/SqlClient/blob/2b31810ce69b88d707450e2059ee8fbde63f774f/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlCommand.cs#L6150 ?
For encrypting parameters I need to build a query to sp_describe_parameter_encryption
which has the list of named parameters and their types like this.
exec sp_describe_parameter_encryption N'DECLARE @c1 AS NCHAR (10) = @p3ee82b8b457c44498ce61053237ba60e;
DECLARE @c2 AS INT = @p643017f69684494b9143f6de7c9078b1;
INSERT INTO Table_1
VALUES (@c1, @c2);
',N'@p3ee82b8b457c44498ce61053237ba60e nchar(10),@p643017f69684494b9143f6de7c9078b1 int'
@denysvitali I've got a PR for both encryption and decryption in the Microsoft fork at https://github.com/microsoft/go-mssqldb/pull/116. It handles both pfx files and the windows certificate store, though I haven't yet written test automation for the E2E of the pfx file-based operations. I welcome folks like you to grab that branch and try out your scenarios and to give input on the PR.