free html hit counter
Posted on: Friday, 26 June 2009 by Rajiv Popat

Free And Open Source Field Level Database Encryption For SQL Server 2005 and Later.

At work we design and build financial applications. When you are in the business of building financial or banking applications your database will contain sensitive information including account numbers and accounting information that you want to protect obsessively.

Multiple layers of security becomes important in cases like these.

The first layer of-course is the SQL server built-in permissions and security.

At a second level you want to lock out everyone's access on the production servers so that they cannot grab the data-files or access the database directly.

The third  layer is encrypting certain pieces of information at the field level and encrypting sensitive fields so data inside the database cannot be read by anyone even if he has direct access to the database --- this includes even the database administrators and the support staff who will be managing database servers.

Making your life simple with adding this third layer of security is exactly what SQLDBCrypt does.

SQLDBCrypt is an in-house SQL Server 2005 based encryption engine that we developed as a side hobby project.

Put simply; at a basic level SQLDBCrypt does exactly what commercial products like XPCrypt do; except that SQLDBCrypt is free and open source.

We have been using this product to encrypt and decrypt sensitive data that goes in an out of our applications for over a year and are very happy with the results.

The story behind SQLDBCrypt was somewhat on the lines of 'an idea conceived and implemented by a single builder'.

Abhijit Ghosh; who gives you a very sinister smile when you ask him if he has a blog or a web presence; is a very capable DBA and a programmer rolled into one; who works on my team at work.

Sometime a couple of years ago he conceived the idea and decided that he wanted to take this project up as his official assignment.

Early on in the project; we decided to give him time to do get a prototype done; get him everything he needs, wish him luck and get out of his way.

A few weeks later we were playing with a working prototype using which; we were able to get it adapted inside of eFORCE as a formal product with a formal testing and development team that would move the product forward and use it in some of flagship products.

Within a few more weeks we had a working version which was fully tested and which was being used in some of our financial applications.

We have been using SQLDBCrypt internally since then.

When you work in flat organizations where even the top most management understands software development; decisions of this sort are often done without any meetings or any committees. After more than one year of usage in production environment we at eFORCE recently discussed the idea of taking SQLDBCrypt to open source and were able to get a green signal literally in less than three days. No long-winded discussions; no meetings and no committees.

We moved the code base on CodePlex for you to try it out and give us your feedback; dear reader.

If SQLDBCrypt interests you; we suggest you start by visiting the Product Home Page on CodePlex

We're licensing this code under the New BDS license which allows you to use this product even in commercial projects without any of the typical restrictions that you get in commercial products and other open source licenses.

The source code for the project is available live; so if you really want to review the security aspects of the code and send in your suggestions; you can totally do that.

The project started as a fun project and slowly matured into something which was reliable and something we could use in our own product stack. We clearly did not have any intentions of competing with commercial database encryption companies out there but when we were done we did some basic benchmarking of the product with other commercial products like XPCrypt and in cases of huge data sets found SQLDBCrypt to be around ten times faster.

While we are talking about comparisons it might also make sense to talk about limitations of SQLDBCrypt while comparing it with other products out there.

While most commercial products like XPCrypt support multiple encryption algorithms we are starting with support for MD5 for hashing and RC4 (128 bit) for encryption.

We will be releasing support for other algorithms moving forward and are expecting community contributions for adding support for additional algorithms moving forward.

To add to that; while commercial versions of products like XPCrypt work on older versions of SQL Server; SQLDBCrypt uses SQL CLR and requires SQL Server 2005 or later.

Currently we are keeping the team size really small but going forward we will be adding team members as and when required.

We will be doing a formal series of benchmarking tests, posts and examples of how you can use the product going forward; but if you have a need for this product we would encourage you to try it out; beat it up; bench-mark it yourself and let us know your comments and feedback.

We are calling the current version a beta release for the next few days till we reach decent packaging and add all the bells and whistles of a formal product to it. Having said that; we really want you to download this version; play around with it. See if it meets you needs; if it does go ahead and use it in your projects. Feel free to let us know your thoughts, ideas or any bugs you encounter while playing around with this product at the Project Task List on CodePlex.

If you would like to start added discussions around the product or any of it's features feel free to use the product's discussion board at CodePlex.

If you like the product; and the fact that we have decided to release it as a free and open source component; go spread the word. Tell your friends; blog and tweet about it.

If you do not like the product; please do tell us why and where you think we can improve the product.

We love the idea of supporting whatever it is that we write and would love to take in suggestions on changes or features which can improve the product.

As much as I would like to recommend this product highly to everyone; the fact of life is that it addresses a very specific problem and if you do not have the need; the product in all it's glory is not going to make any sense to you.

If you are building a Library tracking system; this product is clearly something you do not want to waste your time investigating.

On the other hand is you are building a system which is going to store information worth protecting obsessively; examples being; banking applications; finance applications; or anything that stores sensitive information like account numbers; credit card information etc; --- go give this application a try before you go and buy some of the commercial products out there.

Do let us know your comparative analysis and what you think.

More announcements and open source goodness coming soon.

Stay tuned.