问题
I am in the process of rolling out SQL Always Encrypted to our Databases and have a query about the Best practice approach to storing the certificate for the CMK.
We have .Net web applictions hosted on a Windows server 2016 box, which each have a distinct AD service account (SA) assigned as their Application Pool ID. We have a SQL server instance on a separate server. This approach allows us to segregate and restrict access per application to the database and is working well.
I don't want to import the CMK cert to the local machine Windows Certificate store, as that would mean all users on the server, primarily the server admins, would have the access to the cert and thus the ability to decrypt the data in the database.
I have currently signed on to the server as the SA and installed the cert under local user. This is the most secure option I can think of, as ONLY the SA is able to decrypt the information, which in turn means only the Application can decrypt the data and no other users can. The issue I'm facing with this approach however is the SA seemingly needs to be logged in to the server all the time, which isn't a feasible long term solution (if the server gets rebooted, the account will be logged off and my application will fail)
Has anyone found any official Microsoft Guidance on where the best place to store the CMK securely is?
Many Thanks
回答1:
I'd recommend using the Azure Key Vault as your Keystore Provider(Centralized Key Stores), which will be the most secure way to store your Key's.
Selecting a Key Store for Column Master Key
As per this ,
Centralized Key Stores - serve applications on multiple computers. An example of a centralized key store is Azure Key Vault. A centralized key store usually makes key management easier because you don't need to maintain multiple copies of your column master keys on multiple machines. You need to ensure that your applications are configured to connect to the centralized key store
So go far Cnetralized Key Stores
You can easily manage the users/Application through the access policies in the Azure Key Vault.
Reference
来源:https://stackoverflow.com/questions/51513963/sql-always-encrypted-cmk-certificate-storage-best-practice