There is a growing demand for database encryption nowadays and large companies offer alternative solutions for Microsoft TDE. But what if you want to protect the database from local Administrator?
One of solutions called DbDefence that I found recently offers interesting features that are not available in other products. DbDefence goes far beyond simple file encryption: it can hide database structure and data from local DBA. It works on all editions of SQL Server and can potentially be an alternative for TDE. That’s an interesting feature and I would like to check it and see if it is really does what it says.
I know my readers like technical examples.
Installation was simple and fast. After encrypting some test database I logged as sa and tried to access system catalog and here is what I got:
The same error I got when queried other tables. Here is what I saw when tried to open the database from SSMS:
Database files were indeed encrypted. Vendor claims files are encrypted with AES-128.
As you see it is not only encrypted, but also protected from privileged user. How would the owner access encrypted database? You need to add your application to the list of approved applications and provide database name and the password:
After the application is being added to the list it may access the database absolutely transparently, but only from a computer where it was configured. All other client applications from different computers will be rejected. An authorized application can’t be substituted with another application. Digital signature of authorized application is checked before granting access. There are different options to configure access, but I haven’t checked them all.
Even more, there is nothing in SQL Profiler related to protected database. Not a single statement visible!
There are many other features that I have not tested:
- Encrypted backups
- API for .NET and native apps. Using this API you can manage encryption from your application or command line.
- Encryption with FIPS 140-2 validated module
- Encryption with certificate.
If you are a software vendor and would like to protect your database from local administrator I think you might be interested.
The software is free for SQL Server 2005 and 2008. For newer SQL Server versions prices start from $698 per server.
Download link: https://www.database-encryption.com/
Reference: Pinal Dave (https://blog.sqlauthority.com)