feat: add Always Encrypted support

denisenkom / go-mssqldb

Microsoft SQL server driver written in go language

BSD 3-Clause "New" or "Revised" License

1.82k stars 500 forks source link

feat: add Always Encrypted support #637

Open denysvitali opened 3 years ago

denysvitali commented 3 years ago

This commit adds partial support for the Microsoft SQL "Always Encrypted" feature (basically, E2E encryption).

The current implementation is to be consider a preview since it might not be perfectly implemented.

Supported features:

PFX "keystore"
Seamless encryption

Missing features:

Support for Private Keys that are not RSA
Encryption support (only Decryption is possible at the moment)

The most probably needs to be improved a bit, but so far it's working for some of the use cases that I needed it for.

Feel free to test the feature and open an issue if you find any problem: my goal is to have enough testers to spot eventual bugs.

Fixes #265

denysvitali commented 3 years ago

Thanks for the review! I'll try to find the time to improve the PR

lokmannicholas commented 2 years ago

any idea how to Insert or update the encrypted data?

shueybubbles commented 1 year ago

@denysvitali are you interested in re-homing this PR in our fork? https://github.com/microsoft/go-mssqldb

denysvitali commented 1 year ago

Sure!

shueybubbles commented 1 year ago

I've started a more extensive AE implementation in the Microsoft fork and welcome feedback. We're starting with decryption using local certs or Azure Key Vault then expanding to encryption. https://github.com/microsoft/go-mssqldb/pull/116

shueybubbles commented 1 year ago

@denysvitali @kardianos Does go-mssqldb have an equivalent function for converting the []namedValue slice to a comma delimited string like .Net at https://github.com/dotnet/SqlClient/blob/2b31810ce69b88d707450e2059ee8fbde63f774f/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlCommand.cs#L6150 ? For encrypting parameters I need to build a query to sp_describe_parameter_encryption which has the list of named parameters and their types like this.

exec sp_describe_parameter_encryption N'DECLARE @c1 AS NCHAR (10) = @p3ee82b8b457c44498ce61053237ba60e;
DECLARE @c2 AS INT = @p643017f69684494b9143f6de7c9078b1;
INSERT  INTO Table_1
VALUES (@c1, @c2);
',N'@p3ee82b8b457c44498ce61053237ba60e nchar(10),@p643017f69684494b9143f6de7c9078b1 int'

shueybubbles commented 1 year ago

@denysvitali I've got a PR for both encryption and decryption in the Microsoft fork at https://github.com/microsoft/go-mssqldb/pull/116. It handles both pfx files and the windows certificate store, though I haven't yet written test automation for the E2E of the pfx file-based operations. I welcome folks like you to grab that branch and try out your scenarios and to give input on the PR.