Re: hooking into sql server file I/O -- file level encryption

---

• From: Erland Sommarskog <esquel@xxxxxxxxxxxxx>
• Date: Fri, 6 Apr 2007 20:55:21 +0000 (UTC)

---

(rolandp66@xxxxxxxxx) writes:

There are a number of third party packages that do "whole file"
encryption of SQL databases. For example:

Encryptionizer (http://www.netlib.com/)
XP_CRYPT (http://www.xpcrypt.com/)

We are considering using one of these products, but I am wondering if
it is possible to "roll our own". We have some experience doing this
with sqlite; because sqlite is open source, it is relatively easy to
hook into the "pager" and perform custom encryption/decryption.

What I'd like to know is whether something similar is possible with
SQL Server (or more specifically MSDE). Or rather, clearly it is
_possible_, since the above products do it. But how? How do these
products insert themselves between the database engine and the
physical file I/O?

I speculate that they are re-implementing some file IO interfaces used
by SQL, but I don't know where to start looking for what those
interfaces might be or where they live in the registry. Or maybe I am
off base and there are some hooks provided by SQL I don't know about.
I have scoured MSDN and Google but it appears to be a difficult topic
to query.

The way to do it would indeed be to intercept the file I/O system calls.
Since SQL Server uses the interfaces in NTFS, the tool would have to
be configured to only encrypt selected files, since else you would be
encrypting - and deenscrypting - the entire disk.

Whether this actually is doable I don't know. You would have to ask in
a Windows newsgroup to get some tips on that. But I would assume that
whatever you do, it would be entirely unsupported.

--
Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
.

---

• References:
  • hooking into sql server file I/O -- file level encryption
    • From: rolandp66

• Prev by Date: Re: Minimum permissions for SQL2005 development?
• Next by Date: Re: Prevent users to create temp (#) tables on SQL server
• Previous by thread: hooking into sql server file I/O -- file level encryption
• Next by thread: Re: hooking into sql server file I/O -- file level encryption
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: MS Access linked tables SQL Server ... Protocol Encryption selection so that all connections to the SQL Server are ... (microsoft.public.sqlserver.security) Re: SSIS as part of scheduled job fails ... Can't even open the package. ... Deloyed to SQL store. ... Microsoft SQL Server Management Studio ... Encryption not supported on SQL Server. ... (microsoft.public.sqlserver.dts) Re: SSIS as part of scheduled job fails ... Can't even open the package. ... Microsoft SQL Server Management Studio ... Encryption not supported on SQL Server. ... (microsoft.public.sqlserver.dts) Re: Encryption ... I realize that almost any encryption scheme can be cracked if you throw ... using "in the box" SQL Server technologies. ... Has the behavior of native SQL Server encryption changed such this ... So it's difficult what security hole you ... (microsoft.public.sqlserver.security) Re: Encryption ... migrate to Sql 2005/8 eventually. ... SA can bypass the encryption. ... The 3rd party shim we use now has caused many ongoing compatibility ... Has the behavior of native SQL Server encryption changed such this ... (microsoft.public.sqlserver.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2007-04