SQL SERVER – How to Protect Database from DBA and Hide Database Schema

There is a growing demand for database encryption nowadays and large companies offer alternative solutions for Microsoft TDE. But what if you want to protect the database from local Administrator?

One of solutions called DbDefence that I found recently offers interesting features that are not available in other products. DbDefence goes far beyond simple file encryption: it can hide database structure and data from local DBA. It works on all editions of SQL Server and can potentially be an alternative for TDE. That’s an interesting feature and I would like to check it and see if it is really does what it says.

I know my readers like technical examples.

Installation was simple and fast. After encrypting some test database I logged as sa and tried to access system catalog and here is what I got:

SQL SERVER - How to Protect Database from DBA and Hide Database Schema encryption1

Solarwinds

The same error I got when queried other tables. Here is what I saw when tried to open the database from SSMS:

SQL SERVER - How to Protect Database from DBA and Hide Database Schema encryption2

Database files were indeed encrypted. Vendor claims files are encrypted with AES-128.

SQL SERVER - How to Protect Database from DBA and Hide Database Schema encryption3

As you see it is not only encrypted, but also protected from privileged user. How would the owner access encrypted database? You need to add your application to the list of approved applications and provide database name and the password:

SQL SERVER - How to Protect Database from DBA and Hide Database Schema encryption4

After the application is being added to the list it may access the database absolutely transparently, but only from a computer where it was configured. All other client applications from different computers will be rejected. An authorized application can’t be substituted with another application. Digital signature of authorized application is checked before granting access. There are different options to configure access, but I haven’t checked them all.

Even more, there is nothing in SQL Profiler related to protected database. Not a single statement visible!

There are many other features that I have not tested:

  • Encrypted backups
  • API for .NET and native apps. Using this API you can manage encryption from your application or command line.
  • Encryption with FIPS 140-2 validated module
  • Encryption with certificate.

If you are a software vendor and would like to protect your database from local administrator I think you might be interested.

The software is free for SQL Server 2005 and 2008. For newer SQL Server versions prices start from $698 per server.

Download link: https://www.database-encryption.com/

Reference: Pinal Dave (https://blog.sqlauthority.com)

Solarwinds
,
Previous Post
SQL SERVER – Maintenance Plan failing with 0x80131904 – A network-related or instance-specific error occurred while establishing a connection to SQL Server.
Next Post
SQL SERVER – Add Failover Cluster Node Fails With Error – This SQL Server Edition Does Not Support the Installed Number of Cluster Nodes

Related Posts

4 Comments. Leave new

Leave a Reply

Menu