How to do application layer data encryption in Azure SQL using ASP.NET?
Several other answers (ex: How do I encrypt data in SQL Azure? ) Say that the usual SQL Server data encryption mechanisms (transparent data encryption, asymmetric keys, symmetric keys, etc.) are not supported in Azure SQL , so a application level.
Our only requirement is that some data should not be stored in plain text, but should be encrypted in the database (and, of course, it would be difficult for an attacker to decrypt). What's the best way to do this? What encryption scheme should I use? I've googled a lot but couldn't find a definite answer.
Should I use symmetric or asymmetric encryption? How do I store the keys needed to encrypt and decrypt data?
source to share
OK - so, although some of the elements in this answer could be construed as an opinion - of course, something specific that can be contributed to this ...
[FWIW: We are currently going through this process - so I did part of this journey]
For both of your questions, I would recommend reading the Jericho Forum Covenants on De-Perimetrization and Cloud Computing . Also, the "Information Collector" indicators in cloud computing are indicative in general (yes, I'm from the UK).
From this, you should ensure that the application-level encryption mechanism, i.e. the certificate, is not stored with data or inside the application (i.e. as an embedded resource). Keeping a key with data (even in Azure BlobStorage) is kind of like sticking a key to the actual door. You can use a different cloud service file store, or use a prebuilt solution like Entrust (disclaimer: I don't work for these and there are others). The real goal is that if your data is included, you will be in control of the decryption mechanism and thus control the data.
Choosing symmetric or asymmetric encryption is one option - but the ability to expire certificates is a major benefit - my eyes ...
source to share