Data encryption within Azure website storing in Azure database

I am wondering what the best way to encrypt/decrypt my documents (which will be stored within my database) while at rest. My web app will allow user to upload document and share them with other people so they can download them.
I want the encryption keys/intial vectors to be generated from code so there is no user input. Here is my current thought which is a hybrid of AES/RSA.
Create a new table called keys within my database which will look like the following...
ID | Key | Vector
then when a document is uploaded the Key/Vector is generated and used to encrypt the document and then the document is saved into the document table returning the document ID, which will be stored within the new table in the ID field along with the key and
vector.
Then i somehow need to protect the keys as anyone who grabs my database will have access to all the doucments still as the keys are there!
So i was thinking i would upload a private certificate into Azure storage and store the public certificate inside my web app so before the key/vector is saved my application will encrypt them with the public certificate.
Then when a user downloads a document, the app will connect to my Azure storage account and grab the private key, it will grab the row from key table associated with the document id they are trying to download and then it will use the private key to decrypt
the key/vector then it will use the key/vector to decrypt the document.
Does this seem the best way forward for how to do it, am i way off, or is there a security hole within this solution?

All your keys are still the same so long as you use one cert to do the work. (and they're all still in one place).  If the app downloads the private key, well - the app and anyone in the middle has the key to figure out the rest and decrypt all the
data.  You'll  struggle to make good security just by adding levels of effort or middle steps like that.
What you're doing is kind of like storing the key to your house in your car, and the car's key is in the car's door lock.  You've just added a single step to get inside your home. 
If I have your DB, I probably have your code, which means I know how to do the rest, and since everything is public, so is the resultant data.
What I'd do is have Azure Storage holding the encrypted data, and a key share table.  Use the DB as an index if you feel you need, but it's cheaper to go with just storage.
Each app would create, have, and hold privately, an AES private key. The app would somehow initially upload the public key for the user to the key share table via your service.
When user A wanted to send to user B, they would get B's public key from the key share.  The App would encrypt A's Document and only then send the encrypted data to B's 'mailbox'. Later, B would come along and see a file was waiting.  They'd download
the encrypted data and then decrypt it with their private key which has never left their app/device/wherever.
Think about making every private key 'private' to the entity owning it.  Don't ever store/share/transmit a private key where any public entity can get it.  That's the only way it'll work.
To make things even harder, you can do things to the data before document encryption, (and after) but never mess with the one golden rule of AES:
Keep "private" private, private!
Darin R.

Similar Messages

  • I need to host a website with a SQL database - Azure pricing details are too confusing

    Hello,
    I need to give a potential client a hosting price for a somewhat simple web application they want me to build. I told them it shouldn't be a problem. After gathering the requirements, I figured I would use the following technology to build and host
    it:
    ASP.NET 4.5
    MVC 5
    1 SQL Database ~ 25GB with options to expand and also with a backup
    SSL certificate needed
    Hosting would be on Azure because I have some experience using Visual Studio 2012 and integrating the Visual Studio Online (TFS) source code and scrum web applications. I've never actually spun up a website with a SQL database using Azure before, but I
    imagined it wasn't too difficult to find a general hosting plan to support the above requirements.
    The use of the website will be very simple and limited to the basic CRUD operations. Will support forms authentication using the Identity 2.0 framework. The web applications main purpose is to fill out a form for new accounts, have a search page for
    those accounts, a page to view a created account and add notes to it. So performance wise, it isn't asking for much. I just want it to be fast and secure.
    So I start looking on the Azure's pricing landing page which is here: (can't put links in here, but search Azure pricing on Bing) and I see this Pricing Calculator, so I click it
    First thing I notice is the Websites tab doesn't mention SQL Database - in fact the Data Management is a separate tab from Websites. And if I made my selections on the Websites tab, the estimated monthly price doesn't stay the same when I go to the Data
    Management tab - so I get the illusion I have to have two separate purchases.
    I'm not exactly sure if the Pay as You Go billing feature would be okay because it's just a bit scary to leave every monthly payment up to chance; somewhat. Would love to know if there is other payment options that I could see for what I described above.
    I want to use Azure to host my asp.net website - it makes sense and the integration with Visual Studio is amazing. I love the publish feature for both MVC 5 Projects and SQL Database Projects.
    Thanks in advance for the help!

    Hello jdevanderson,
    I suggest that you start by looking at the pricing TIERS for the Azure website. This link will give you clarity on different Service TIERS that are availaible:
    http://azure.microsoft.com/en-in/pricing/details/websites/
    You can guage your requirement and choose the Service TIER accordingly.
    And regarding the database, you are right about it. You will be charged seperately for the database. You can refer to this link that will give you clarity on SQL database pricing:
    http://azure.microsoft.com/en-in/pricing/details/sql-database/
    Refer to this link for more information on 'How pricing works':
    http://azure.microsoft.com/en-in/pricing/
    Use the full calculator to add your website and the database to get an estimated cost:
    http://azure.microsoft.com/en-in/pricing/calculator/?scenario=full
    Thanks,
    Syed Irfan Hussain

  • Need to take SQL Azure database backup into blob using dacpac services, the blob has to be encrypted.

    We are able to take backup of our database into blob storage using dacpac services, but we need to encrypt the blob data. Please suggest the efficient way to do it.

    Hello,
    As per my understanding, Windows Azure Storage does not transparently encrypt data or provide any special encryption mechanisms. Azure Blob Storage protect the data by using a storage key to control access to all data in that Storage Account.
    If you want to encrypt data of file inside Azure Blob Storage Services , you can refer to the following thread about same requirement:
    http://social.msdn.microsoft.com/Forums/windowsazure/en-US/23465a1e-1fce-481a-b375-6e2434186ea6/encrypt-sql-azure-blob-data?forum=windowsazuredata#bf6c9921-176e-4c76-b976-3b94c795cd16
    Regards,
    Fanny Liu
    If you have any feedback on our support, please click here. 
    Fanny Liu
    TechNet Community Support

  • How to modify stored procedures in SQL Azure database in SQL server express 2012

    Hi,
    I want to modify stored procedures in SQL Azure database in SQL Server Express 2012. But when right click on the stored procedure in Object Explorer, there is no option "Modify" as for SQL Server database. I wonder how to modify stored procedures in SQL
    Azure database in SQL Server Express 2012. Thanks.
    York

    Hi,
    Not sure whay there is no modify..
    As a workaround can you try this and see if you can modify proc..
    Script Procedure As-> Alter To->New query window..
    - Chintak (My Blog)

  • Offline data synchronization in azure mobile services on windows server 2008

    Hi,
    I have a class library which insert data into tables in azure mobile services on windows server 2008 OS for windows universal C# platform. I am trying to insert data using offline data synchronization.
    I had installed SQLite runtime for windows 8.1 and windows phone 8.1, but unable to add reference 'SQLite for Windows Runtime(Windows8.1)'.
    Please guide me whether windows server 2008 OS supports offline data synchronization in azure mobile services.
    Thank you.

    I also have a Windows Server 2012 R2 system using Azure Backup, and I don't have the problem. However, you probably noticed that you use a different Azure Backup installation download for Windows Server 2008 R2 vs. Windows Server 2012 R2. Although both
    show the same Microsoft Azure Recovery Services Agent version 2.0.8692.0 installed, my Windows Server 2012 R2 also lists Microsoft Azure Backup for Windows Server Essentials version 6.2.9805.9 installed as well. It could be the case the my problem with the
    CATALOG FAILURE 0x80131500 errors is something specific to the version of Azure Backup installed on my Windows 2008 R2 servers.
    Trilon, Inc.

  • Data sync between on-premise and azure database

    HI, I am not able to setup data sync between my on-premise database and azure database. Following is the error I am getting after it ran for almost 36 hours...
    Sync failed with the exception "GetStatus failed with exception:Sync worker failed, checked by GetStatus method. Failure details:An unexpected error occurred when applying batch file C:\Resources\directory\4c6dc848db5a4ae88265ee5aa1d44f40.NTierSyncServiceWorkerRole.LS1\DSS_7b1d73b4-d125-466f-94ab-eaa4553ea0ae\ed19f805-3d50-466a-96b3-861c4f22d8a4.batch.
    See the inner exception for more details.Inner exception: Failed to execute the command 'UpdateCommand' for table 'dbo.Transactions'; the transaction was rolled back. Ensure that the command syntax is correct.Inner exception: SqlException Error Code: -2146232060
    - SqlError Number:10054, Message: A transport-level error has occurred when receiving results from the server. (provider: TCP Provider, error: 0 - An existing connection was forcibly closed by the remote host.) "    For more information,
    provide tracing ID ‘e6a1fad1-f995-4ffe-85db-0c6dc02423f1’ to customer support.

    Hi, sorry it has been a long time since your last post. Are you still using SQL Data Sync and hitting any issue which we could help with?
    Linda

  • Trouble running "Universal Windows app that consumes data from the Azure Marketplace" sample

    I am trying to run the sample titled "Universal Windows app that consumes data from the Azure Marketplace". I am not sure how to enter the credentials for the Zillow APIs.  I obtained a key from Zillow, but when I enter it per the instructions
    in the sample, I still get an unauthorized (401) error.  
    The instructions say  Insert that key into the SampleDataSource file of your project in place of the string "Your account key goes here".
    So I replaced my key in this line of code:
    request.Credentials = new NetworkCredential("<Your account key goes here>",
                                        "<Your account key goes here>");
    Am I missing something else?

    Hi isgimaryann,
    I would suggest you ask question at:
    https://code.msdn.microsoft.com/windowsapps/Universal-app-that-d7406c5b/view/Discussions#content to see if the owner of the sample will give you some suggestions.
    --James
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Connect SAP BO Data Services to Azure Blob Storage

    Hi,
    I want to connect SAP BO Data service to Azure Blob Storage. Is there a way to achieve this?
    Thanks,

    Hi Anton,
    As of now, it is not possible for SAP BO Data Services to connect with Azure Blob Storage. However, you may put down your requirement in Azure Feedback, so that concerned development team can get it done in near future.
    http://feedback.azure.com/forums/34192--general-feedback
    Regards,
    Manu Rekhar

  • Graphical Design on Azure Database

    Hi
    I have read through a lot of older posts (2009 onwards) regarding the limitations of the SQL management studio when connected to Azure Databases. I'm just making the transition into the cloud, and as far as I can tell, most of the problems still exist,
    hopefully someone can tell me I'm wrong...
    The big problem is that I cant find a graphical designer for queries within stored procedures. In my local database, within the stored procedure I can just right click and choose 'design query in editor', however when I connect to the Azure database, this
    isn't available.
    I have tried using the Azure online designer but that's the same, if I right click I just get Silverlight and no obvious option for creating queries graphically.
    I'm missing something, as far as I can remember this functionality has been available since way back when, it seems like a pretty big omission? All though its not the end of the world, it was really useful to be able to do this
    Any help would be much appreciated
    thanks
    Andy

    Hi Andy,
    If your used to create your queries from a graphical tool, I can do nothing but highly recommend SQL Server Data Tools for Visual Studio. This enables you to create Database projects where you'll have a graphical UI for creating your queries. Moreover, this
    feature also enalbes you to do things like schema comparison or data comparison directly within Visual Studio.
    Alex

  • SQL azure database size not dropping down after deleting all table

    Dear all,
    I have a simple database on Azure for which I have deleted all table data. The size of the database is still showing 5Mb of data and I am charge for that. I have heard that this may happen from cluster index getting fragmented.
    I have run  a querry I found on internet on all my table index to show percentage of fragmentation and all report 0%.
    DBA is not so my job but what could it be or how can I reduce that size ?
    ON premise I would use COMPACT DB but not available in azure like some others DB action
    Thnaks for tips
    regards

    user created objects/data are not the only ones stored in your database. you got system objects and metadata as Mike mentions above.
    are you trying to skip being charged if you're not storing data? looking at the pricing table,  you'll still get charged the $4.995 for the 0-100MB database size range.

  • Connection between two SQL Azure Databases

    We have a requirement to move data (partial data in a table based on policy conditions) between two SQL Azure Databases. Want to know the best possible way to do this.
    We are not looking at Data Sync Framework - as this is only a Preview version and we have to use this in an ongoing basis in Production and the volume of data is quite high.
    The option that we have currently is to use an on premise stored procedure - that will have two link servers to the source and target SQL Azure Databases and do the data movement in one transaction.
    Are there any other better options to do this ? Any pointers will be helpful.

    Hi Kothai Ramanathan,
    According to your description, if you just want to moving part of the data from a huge table between two different SQL Server database, you can use
    SQL Server replication to sync the part of data via articles. However, in SQL Azure database, it does not support SQL Server replication, if you want to migrate database, as other post, you
    can use Data-Tier Application Import and Export or other ways.
     In addition, for just moving the part of data,  you can also create two Linked Servers between local SQL Server database and two different SQL azure database. For example, you can get the changed data from the first Linked
    Server and saved the data to Local database, then insert these data to the other azure database via the second Linked Server.
     For more information, see:
    http://azure.microsoft.com/blog/2012/09/19/announcing-updates-to-windows-azure-sql-database/
    http://blogs.msdn.com/b/sqlcat/archive/2011/03/08/linked-servers-to-sql-azure.aspx
    Regards,
    Sofiya Li
    Sofiya Li
    TechNet Community Support

  • Are there any tools for data encryption and decryption ?

    Hi,
    i am using oracle 9i R2, i want encrypt my data. Are there any tools available in market.
    Please let me know the ways to do data encryption and decryption.
    Thanks in advance
    Prasuna.

    970489 wrote:
    using DBMS_OBFUSCATION_TOOLKIT.Encrypt /DESEncrypt we can't secure our password...So i am looking for an another alternative.As Blue Shadow said, what are you really trying to achieve?
    Encrypting a password is itself not secure. Anything that can be encrypted can be decrypted. That is why Oracle itself DOES NOT encrypt passwords.
    Surprised??
    Here's what Oracle does with passwords, and what others should be doing if they have to store them.
    When the password is created, the presented password - clear text - is concatenated with the username. The resulting character string is then passed through a one-way hashing function. It is that hashed value that is stored. Then when a user presents his credentials to log on to the system, the presented credentials are combined and hashed in the same manner as when the password was created, and the resulting hash value compared to the stored value.

  • What data type is used for storing password,

    What data type is used for storing pass word in oracle db, i mean if user inputs some thing from forms it should be in Encrypted form in db, please any help??
    Thank you
    Hina

    Data type is VARCHAR2:
    SQL> desc dba_users;
    Name                                      Null?    Type
    USERNAME                                  NOT NULL VARCHAR2(30)
    USER_ID                                   NOT NULL NUMBER
    PASSWORD                                           VARCHAR2(30)
    ACCOUNT_STATUS                            NOT NULL VARCHAR2(32)
    LOCK_DATE                                          DATE
    EXPIRY_DATE                                        DATE
    DEFAULT_TABLESPACE                        NOT NULL VARCHAR2(30)
    TEMPORARY_TABLESPACE                      NOT NULL VARCHAR2(30)
    CREATED                                   NOT NULL DATE
    PROFILE                                   NOT NULL VARCHAR2(30)
    INITIAL_RSRC_CONSUMER_GROUP                        VARCHAR2(30)
    EXTERNAL_NAME                                      VARCHAR2(4000)
    PASSWORD_VERSIONS                                  VARCHAR2(8)
    EDITIONS_ENABLED                                   VARCHAR2(1)
    AUTHENTICATION_TYPE                                VARCHAR2(8)You can use SQL function ORA_HASH to hash password: http://download.oracle.com/docs/cd/E11882_01/server.112/e17118/functions124.htm#SQLRF06313.

  • When I want to setup "Adobe" Windows tell me "Data Too Big To Be Stored In Memory".

    Hello.
    How can I solve the error "Data Too Big To Be Stored In Memory" ?
    Thanks.

    Hello.
    How can I solve the error "Data Too Big To Be Stored In Memory" ?
    Thanks.
    I would recommend to check the requirements of the Adobe product before installing the product. More if you ask them in Adobe forums.
    This posting is provided AS IS with no warranties or guarantees , and confers no rights.
    Ahmed MALEK
    My Website Link
    My Linkedin Profile
    My MVP Profile

  • SQL Server Transparent Data encryption

    I have implemented TDE for the Database and Column Level Encryption for Sensitive data in Tables. But, the Porblem is the data is entered through an front end application how could i encrypt this data when it is inserted from the Front end. And how to decry-pt
    this data for the users when it is selected.
    Your suggestions are most valuable.
    Reagrds
    Rehaan Khan
    RehaanKhan. M

    Let me start with a solution that may have been overlooked, but it is good to make sure we cover it. Have you considered using column-level permissions? It may not be a complete solution for your particular scenario if you need to give access to the column
    for other reasons (after all, the group you are trying to restrict is probably developing applications on top of the column storing sensitive data) or if the developer group has permission to create objects that would render the sensitive data subject to ownership
    chains. For more information on column-permissions look at
    http://msdn.microsoft.com/en-us/library/ms186915.aspx
    Assuming permissions alone will not solve the problem. By using encryption you should be able to limit access to the sensitive data to the developers, but it will also require some changes to your schema & application. TDE (Transparent Data Encryption)
    will not help you in this scenario since you need to restrict access to the data and restricting access to the column is not sufficient.
    The following links may be useful to get you started with SQL Encryption capabilities:
    SQL Server Encryption (http://msdn.microsoft.com/en-us/library/bb510663.aspx)
    Data Encryption in SQL Server (http://msdn.microsoft.com/en-us/library/bb669072(v=vs.110).aspx)
    Encrypt a Column of data (http://msdn.microsoft.com/en-us/library/ms179331.aspx)
    Cryptographic Functions (T-SQL) (http://msdn.microsoft.com/en-us/library/ms173744.aspx)
    Older articles, but they may still be quite useful:
    Indexing encrypted Data (http://blogs.msdn.com/b/raulga/archive/2006/03/11/549754.aspx)
    SQL Server 2005: searching encrypted data (http://blogs.msdn.com/b/lcris/archive/2005/12/22/506931.aspx)
    One recommendation may be to encrypt the data using an AES key, and protect the key using one or more certificates (I would recommend using a separate certificate per individual if possible), making sure that only authorized people have access to the keys.
    Anyone else with access to the column, but not to the keys would not be able to decrypt the data.
    BTW. I would also recommend using SQL Auditing (http://msdn.microsoft.com/en-us/library/cc280386.aspx) in order to keep honest people honest, by monitoring access to the keys & to the
    sensitive data.
    I hope this information helps,
    -Raul Garcia
    SQL Server Security
    This posting is provided "AS IS" with no warranties, and confers no rights.

Maybe you are looking for