Drivers Data Encryption

Posted on by admin



McAfee Drive Encryption is full disk encryption software that helps protect data on Microsoft Windows tablets, laptops, and desktop PCs to prevent the loss of sensitive data, especially from lost or stolen. Windows 10 has a neat feature called Device Encryption. When enabled, Device Encryption encrypts the data in all fixed drives (like your HDD) with 128-bit AES encryption and protects your system from any unauthorized access. For instance, an attacker cannot connect your hard disk to another system to access or modify the data. If you’re going to use a flash drive, encryption is one of the best ways to protect your data. Encryption can help protect the sensitive data on an external drive should it fall into the wrong hands through loss or theft, but there are other reasons for encryption, too. LTO drives use the 256-bit Advanced Encryption Standard with Galois/Counter Mod of Operation (or AES256-GCM for short). It is authenticated encryption that achieves very high speeds in hardware with low cost and low latency.

When highly sensitive information, such as customer or otherwise work-related information, is handled with a laptop or desktop computer, data security should be on top of every business owner’s mind. Especially laptops are vulnerable to security risks due to their mobile nature. When a laptop gets lost or stolen, data breaches can become costly.

“Compared to hacking a secure network, it is much easier to download information from an unencrypted or unprotected laptop. This is a reality a lot of business owners and IT professionals fail to realize.”

There are multiple reasons for protecting laptops and the data in them, and luckily, there are various ways to mitigate security risks. One powerful tool is full disk encryption. Full disk encryption is a data protection method, which transforms information in a storage medium into a secret format that can be only understood by people or systems who are allowed to access the information.

LTO drives use the 256-bit Advanced Encryption Standard with Galois/Counter Mod of Operation (or AES256-GCM for short). It is authenticated encryption that achieves very high speeds in hardware with low cost and low latency.

In this article, we discuss different data encryption methods and why drive encryption makes sense. We also reveal a smart way to enable drive encryption on your Microsoft Windows or Apple macOS devices.

Topics to be covered in this article:

What is hard drive encryption or full disk encryption?

Essentially, encryption refers to the process of encoding data. In disk encryption, this means that information on your computer’s hard drive is transformed from plaintext to ciphertext, which makes the original information unreadable.

Hard drive encryption uses a specific algorithm, or cipher, to convert a physical disk or logical volume into an unreadable format that cannot be unlocked by anyone without the secret key or password that was used to encrypt the drive. This prevents unauthorized people or hackers from accessing the information.

Drivers data encryption software

There are two main computer encryption types: full disk encryption and file-level encryption.

  • Full Disk Encryption (FDE) or whole disk encryption protects the entire volume and all files on the drive against unauthorized access.
  • In contrast to FDE, File-Level Encryption (FLE) is an encryption method, which takes place on the file system level, enabling the encryption of data in individual files and directories.

Full Disk Encryption and File-Level Encryption are not mutually exclusive. In fact, they can be used simultaneously to achieve higher security as they serve different purposes, but that’s a topic on its own.

Modern versions of Windows and macOS have built-in encryption programs: BitLocker for Windows and FileVault for macOS. There are also a few open-source products for encryption, such as VeraCrypt, AxCrypt, and Gpg4win.

What is BitLocker?

BitLocker is Microsoft’s full disk encryption feature that is commonly included in Windows versions that are oriented towards professional, business, or organizational use. With the BitLocker drive encryption, you can encrypt the entire operating system drive and/or other drives mounted to your Windows PCs.

BitLocker is designed to work best with a Trusted Platform Module (TPM) that stores the disk encryption key. TPM is a secure cryptoprocessor that checks whether the encrypted data is being accessed with the right device. Disk encryption on newer Windows OS versions is strongly based on TPM but a USB startup key can also be used to access the encrypted data. However, it is not as popular.

The first BitLocker encryption usually takes some hours to complete depending on the drive features, but after that, the user experience is more or less transparent. All data on the protected drives is stored in an encrypted form while the computer is locked or turned off, but when the user unlocks the system with their Windows login credentials, everything works similarly like in an unencrypted system. Any new files will be encrypted automatically on the fly.

BitLocker is included in Windows 7 (Enterprise and Ultimate) and the Pro, Enterprise, and Education editions of Windows 8.1 and Windows 10. If your operating system version supports BitLocker, you can enable it easily on your computer. But if you need to enforce drive encryption to multiple Windows devices, it’s wise to use a UEM software, like Miradore.

What is FileVault?

FileVault is a full disk encryption feature from Apple built into the Macintosh operating system (macOS). FileVault is supported in Mac OS X 10.3 later, and it provides strong encryption for files and data on Mac computers, protecting the entire drive and all of the files located on the drive — just like BitLocker for Windows. When enabled, FileVault works silently in the background, encrypting all device data on the fly without disruptions.

Just like with BitLocker, you don’t need an additional password to use your files. Just type in your user ID and password when logging in to your computer and you’re good to go. However, to recover the encrypted data, you need a FileVault recovery key that is created when you enable FileVault for the first time.

If you are responsible for managing multiple Mac computers, you can easily enforce drive encryption as a mass deployment with Miradore.

Should I use FileVault or BitLocker disk encryption?

If you need to access sensitive information, such as medical records, customer data, or credit card information, on your computer, using FileVault and BitLocker is smart. It’s fairly easy to enforce and simple for end-users as they don’t have to worry about saving their files in a certain folder.

If you need to access sensitive information, such as medical records, customer data, or credit card information, on your computer, using FileVault and BitLocker is smart.

One of the main advantages of the full disk encryption technologies is the full automation they provide. After the activation of BitLocker or FileVault, these encryption methods will work on their own encrypting everything on the fly. Device users do not even have to think about the encryption ever again.

If a laptop is ever lost, stolen, or decommissioned inappropriately, the odds are that the data will remain safe even then, because encrypted drives are extremely difficult to access without knowing the decryption key. This is not the case with unprotected drives, to which the attacker may gain access, simply by attaching them to another computer.

Full disk encryption is a great way to protect sensitive customer data.

In addition, today’s companies need to adhere to data protection regulations and policies, such as GDPR, HIPAA, and CJIS, and full disk encryption is a great way to protect sensitive customer data.

Drawbacks of disk encryption

Although it may seem a no-brainer to use encryption, many organizations still hesitate to implement disk encryption for different reasons. There may be, for example, uncertainty about how to implement the encryption wisely or concerns about what challenges the encryption could cause for data recovery if a computer breaks down or the user forgets his login password.

“Who has the time and competence to enable encryption?”

“How can we see which drives are or aren’t encrypted?”

“Who should store the recovery keys and where?”

The questions above are examples of valid concerns that may slow down the adoption of disk encryption. Luckily, all of them can be easily addressed with the right tools, like Miradore.

Also, some might be concerned about how drive encryption affects the computer’s performance but with modern Windows computers and Mac, there is no noticeable change.

How to enable BitLocker encryption?

Enabling BitLocker manually is actually quite straightforward and easy if your Windows computer is running the right operating system version. The device user can enable BitLocker disk encryption in Windows File Explorer by right-clicking on a drive and then choosing “Turn on BitLocker”. After that, the user is asked to choose how they want to preserve the BitLocker recovery key. Keeping the recovery key in a safe place is essential as you need it to unlock your disk.

Sounds simple but gets complex quickly if dozens or hundreds of users need to be instructed through the implementation step-by-step and if there is no centralized way for storing the recovery keys.

This is where Miradore steps in.

Miradore makes it easy to enable BitLocker on all of your Windows devices. You can create a Configuration Profile, which defines the desired settings for BitLocker encryption. You only need to choose whether you want to encrypt the system drive or all fixed drives of a computer – and that’s it. If you want, you can also choose the preferred encryption mode.

Creating a Configuration Profile for drive encryption in Miradore

You can then deploy the configuration profile remotely to as many Windows computers as you like and Miradore works its magic to enable the BitLocker.

Deploying the created Configuration Profile to multiple Windows computers

Miradore applies exactly the same encryption settings tirelessly to all computers without the risk of a human error and what’s best: it stores the recovery keys from all devices automatically in one place – to your Miradore site. You can rest assured knowing that device users do not need to bother you with questions and the recovery keys are stored appropriately. Other users than administrators cannot see the stored recovery keys on your Miradore site.

Data Encryption Software

Miradore stores BitLocker recovery keys in one place

What’s more, Miradore shows you which drives on your Miradore managed computers are protected with BitLocker, which makes it easy to follow-up the disk encryption status of your Windows devices.

View the BitLocker encryption status of your Windows devices

You can also add the BitLocker encryption configuration profile as part of a Business Policy which enables the automation of device setups.

How to enable FileVault disk encryption?

Enabling FileVault disk encryption works quite similarly to enabling BitLocker. In System Preferences, click Security & Privacy, go to the FileVault tab, and click the Lock button. After entering your admin name and password, you can turn on FileVault.

Miradore supports FileVault disk encryption for macOS 10.9 and newer devices. The implementation procedure follows the same lines as for the BitLocker with a few exceptions. You can enable FileVault to your Mac devices by creating a Configuration Profile that defines the right settings for encryption and deploy that configuration profile remotely to multiple Macs. With Miradore’s dashboard widget, you can view the FileVault drive encryption status of your device fleet.

View the FileVault encryption status of your Mac computers

With FileVault, you can choose whether you want to use personal, institutional, or both types of recovery keys for unlocking the encryption. The personal recovery key is always device-specific, and it will be generated automatically at the target device when enabling the encryption. The device’s user is responsible for writing down and storing the personal recovery key. The institutional key, on the other hand, is intended for organizations to unlock encrypted drives. As said, it is also possible to use both key types which means an encrypted drive could be unlocked using the correct personal or institutional key.

Best practices for drive encryption

A few things should be remembered when planning full disk encryption:

  • Back up your files: Make sure to back up your files before encryption and regularly after the encryption has been enabled. This ensures that you can recover your files quickly if something happens to your hard drive.
  • Use a strong passcode: As the Windows and Mac login credentials are used to access the encrypted files and documents, make sure to use a strong passcode that includes both letters and numbers.
  • Keep your recovery key in a safe place: If you forget your password, a recovery key is the only way to access the encrypted data. Thus, it’s important to store your recovery key in a secure place. You can for example use a password manager or Miradore.

Summary

Altogether, drive encryption is a very powerful data protection method, which is relatively easy to implement with proper tools.

The use of BitLocker and FileVault can step up the data security of any organization where Windows and Mac devices are used to process and store any kind of valuable or sensitive information like customer information, credit card details, or employee information. With Miradore’s Enterprise plan, you can easily enable BitLocker and FileVault to all your organization’s devices remotely.

If you’re responsible for ensuring data security in your organization, you can test Miradore’s Enterprise plan for free for 14 days. If you want to know more about disk encryption or Miradore’s capabilities, don’t hesitate to reach out to us!

Related Articles

Stay up to date with modern device management

Subscribe to Miradore's quarterly newsletter and blog notifications.

-->Encryption

Applicable to

  • Microsoft Drivers 5.2 for PHP for SQL Server

Introduction

This article provides information on how to develop PHP applications using Always Encrypted (Database Engine) and the PHP Drivers for SQL Server.

Always Encrypted allows client applications to encrypt sensitive data and never reveal the data or the encryption keys to SQL Server or Azure SQL Database. An Always Encrypted enabled driver, such as the ODBC Driver for SQL Server, transparently encrypts and decrypts sensitive data in the client application. The driver automatically determines which query parameters correspond to sensitive database columns (protected using Always Encrypted), and encrypts the values of those parameters before passing the data to SQL Server or Azure SQL Database. Similarly, the driver transparently decrypts data retrieved from encrypted database columns in query results. For more information, see Always Encrypted (Database Engine). The PHP Drivers for SQL Server utilize the ODBC Driver for SQL Server to encrypt sensitive data.

Prerequisites

  • Configure Always Encrypted in your database. This configuration involves provisioning Always Encrypted keys and setting up encryption for selected database columns. If you do not already have a database with Always Encrypted configured, follow the directions in Getting Started with Always Encrypted. In particular, your database should contain the metadata definitions for a Column Master Key (CMK), a Column Encryption Key (CEK), and a table containing one or more columns encrypted using that CEK.
  • Make sure ODBC Driver for SQL Server version 17 or higher is installed on your development machine. For details, see ODBC Driver for SQL Server.

Enabling Always Encrypted in a PHP Application

The easiest way to enable the encryption of parameters targeting the encrypted columns and the decryption of query results is by setting the value of the ColumnEncryption connection string keyword to Enabled. The following are examples of enabling Always Encrypted in the SQLSRV and PDO_SQLSRV drivers:

SQLSRV:

PDO_SQLSRV:

Enabling Always Encrypted is not sufficient for encryption or decryption to succeed; you also need to make sure that:

  • The application has the VIEW ANY COLUMN MASTER KEY DEFINITION and VIEW ANY COLUMN ENCRYPTION KEY DEFINITION database permissions, required to access the metadata about Always Encrypted keys in the database. For details, see Database Permission.
  • The application can access the CMK that protects the CEKs for the queried encrypted columns. This requirement is dependent on the key store provider that stores the CMK. For more information, see Working with Column Master Key Stores.

Retrieving and Modifying Data in Encrypted Columns

Once you enable Always Encrypted on a connection, you can use standard SQLSRV APIs (see SQLSRV Driver API Reference) or PDO_SQLSRV APIs (see PDO_SQLSRV Driver API Reference) to retrieve or modify data in encrypted database columns. Assuming your application has the required database permissions and can access the column master key, the driver encrypts any query parameters that target encrypted columns and decrypt data retrieved from encrypted columns, behaving transparently to the application as if the columns were not encrypted.

If Always Encrypted is not enabled, queries with parameters that target encrypted columns fail. Data can still be retrieved from encrypted columns, as long as the query has no parameters targeting encrypted columns. However, the driver does not attempt any decryption and the application receives the binary encrypted data (as byte arrays).

The following table summarizes the behavior of queries, depending on whether Always Encrypted is enabled or not:

Query characteristicAlways Encrypted is enabled and application can access the keys and key metadataAlways Encrypted is enabled and application cannot access the keys or key metadataAlways Encrypted is disabled
Parameters targeting encrypted columns.Parameter values are transparently encrypted.ErrorError
Retrieving data from encrypted columns, without parameters targeting encrypted columns.Results from encrypted columns are transparently decrypted. The application receives plaintext column values.ErrorResults from encrypted columns are not decrypted. The application receives encrypted values as byte arrays.

The following examples illustrate retrieving and modifying data in encrypted columns. The examples assume a table with the following schema. The SSN and BirthDate columns are encrypted.

Data Insertion Example

The following examples demonstrate how to use the SQLSRV and PDO_SQLSRV drivers to insert a row into the Patient table. Note the following points:

  • There is nothing specific to encryption in the sample code. The driver automatically detects and encrypts the values of the SSN and BirthDate parameters, which target encrypted columns. This mechanism makes encryption transparent to the application.
  • The values inserted into database columns, including the encrypted columns, are passed as bound parameters. While using parameters is optional when sending values to non-encrypted columns (although it is highly recommended because it helps prevent SQL injection), it is required for values targeting encrypted columns. If the values inserted in the SSN or BirthDate columns were passed as literals embedded in the query statement, the query would fail because the driver does not attempt to encrypt or otherwise process literals in queries. As a result, the server would reject them as incompatible with the encrypted columns.
  • When inserting values using bind parameters, a SQL type that is identical to the data type of the target column or whose conversion to the data type of the target column is supported must be passed to the database. This requirement is because Always Encrypted supports few type conversions (for details, see Always Encrypted (Database Engine)). The two PHP drivers, SQLSRV and PDO_SQLSRV, each has a mechanism to help the user determine the SQL type of the value. Therefore, the user does not have to provide the SQL type explicitly.
  • For the SQLSRV driver, the user has two options:
  • Rely on the PHP driver to determine and set the right SQL type. In this case, the user must use sqlsrv_prepare and sqlsrv_execute to execute a parameterized query.
  • Set the SQL type explicitly.
  • For the PDO_SQLSRV driver, the user does not have the option to explicitly set the SQL type of a parameter. The PDO_SQLSRV driver automatically helps the user determine the SQL type when binding a parameter.
  • For the drivers to determine the SQL type, some limitations apply:
  • SQLSRV Driver:
  • If the user wants the driver to determine the SQL types for the encrypted columns, the user must use sqlsrv_prepare and sqlsrv_execute.
  • If sqlsrv_query is preferred, the user is responsible for specifying the SQL types for all parameters. The specified SQL type must include the string length for string types, and the scale and precision for decimal types.
  • PDO_SQLSRV Driver:
  • The statement attribute PDO::SQLSRV_ATTR_DIRECT_QUERY is not supported in a parameterized query.
  • The statement attribute PDO::ATTR_EMULATE_PREPARES is not supported in a parameterized query.

SQLSRV driver and sqlsrv_prepare:

SQLSRV driver and sqlsrv_query:

PDO_SQLSRV driver and PDO::prepare:

Plaintext Data Retrieval Example

The following examples demonstrate filtering data based on encrypted values, and retrieving plaintext data from encrypted columns using the SQLSRV and PDO_SQLSRV drivers. Note the following points:

  • The value used in the WHERE clause to filter on the SSN column needs to be passed using bind parameter, so that the driver can transparently encrypt it before sending it to the server.
  • When executing a query with bound parameters, the PHP drivers automatically determines the SQL type for the user unless the user explicitly specifies the SQL type when using the SQLSRV driver.
  • All values printed by the program are in plaintext, since the driver transparently decrypts the data retrieved from the SSN and BirthDate columns.

Note: Queries can perform equality comparisons on encrypted columns only if the encryption is deterministic. For more information, see Selecting Deterministic or Randomized encryption.

SQLSRV:

PDO_SQLSRV:

Ciphertext Data Retrieval Example

If Always Encrypted is not enabled, a query can still retrieve data from encrypted columns, as long as the query has no parameters targeting encrypted columns.

The following examples illustrate retrieving binary encrypted data from encrypted columns using the SQLSRV and PDO_SQLSRV drivers. Note the following points:

  • As Always Encrypted is not enabled in the connection string, the query returns encrypted values of SSN and BirthDate as byte arrays (the program converts the values to strings).
  • A query retrieving data from encrypted columns with Always Encrypted disabled can have parameters, as long as none of the parameters target an encrypted column. The following query filters by LastName, which is not encrypted in the database. If the query filters by SSN or BirthDate, the query would fail.

SQLSRV:

PDO_SQLSRV:

Avoiding Common Problems when Querying Encrypted Columns

This section describes common categories of errors when querying encrypted columns from PHP applications and a few guidelines on how to avoid them.

Unsupported data type conversion errors

Always Encrypted supports few conversions for encrypted data types. See Always Encrypted (Database Engine) for the detailed list of supported type conversions. Do the following to avoid data type conversion errors:

  • When using the SQLSRV driver with sqlsrv_prepare and sqlsrv_execute the SQL type, along with the column size and the number of decimal digits of the parameter is automatically determined.
  • When using the PDO_SQLSRV driver to execute a query, the SQL type with the column size and the number of decimal digits of the parameter is also automatically determined
  • When using the SQLSRV driver with sqlsrv_query to execute a query:
  • The SQL type of the parameter is either exactly the same as the type of the targeted column, or the conversion from the SQL type to the type of the column is supported.
  • The precision and scale of the parameters targeting columns of the decimal and numeric SQL Server data types is the same as the precision and scale configure for the target column.
  • The precision of parameters targeting columns of datetime2, datetimeoffset, or time SQL Server data types is not greater than the precision for the target column, in queries that modify the target column.
  • Do not use PDO_SQLSRV statement attributes PDO::SQLSRV_ATTR_DIRECT_QUERY or PDO::ATTR_EMULATE_PREPARES in a parameterized query

Drivers Data Encryption Software

Errors due to passing plaintext instead of encrypted values

Any value that targets an encrypted column needs to be encrypted before being sent to the server. An attempt to insert, modify, or filter by a plaintext value on an encrypted column results in an error. To prevent such errors, make sure that:

  • Always Encrypted is enabled (in the connection string, set the ColumnEncryption keyword to Enabled).
  • You use bind parameter to send data targeting encrypted columns. The following example shows a query that incorrectly filters by a literal/constant on an encrypted column (SSN):

Drivers Data Encryption

Controlling Performance Impact of Always Encrypted

Because Always Encrypted is a client-side encryption technology, most of the performance overhead is observed on the client side, not in the database. Apart from the cost of encryption and decryption operations, the other sources of performance overhead on the client side are:

  • Additional round-trips to the database to retrieve metadata for query parameters.
  • Calls to a column master key store to access a column master key.

Round-trips to Retrieve Metadata for Query Parameters

If Always Encrypted is enabled for a connection, the ODBC Driver will, by default, call sys.sp_describe_parameter_encryption for each parameterized query, passing the query statement (without any parameter values) to SQL Server. This stored procedure analyzes the query statement to find out if any parameters need to be encrypted, and if so, returns the encryption-related information for each parameter to allow the driver to encrypt them.

Since the PHP drivers allow the user to bind a parameter in a prepared statement without providing the SQL type, when binding a parameter in an Always Encrypted enabled connection, the PHP Drivers call SQLDescribeParam on the parameter to get the SQL type, column size, and decimal digits. The metadata is then used to call SQLBindParameter. These extra SQLDescribeParam calls do not require extra round-trips to the database as the ODBC Driver has already stored the information on the client side when sys.sp_describe_parameter_encryption was called.

The preceding behaviors ensure a high level of transparency to the client application (and the application developer) does not need to be aware of which queries access encrypted columns, as long as the values targeting encrypted columns are passed to the driver in parameters.

Unlike the ODBC Driver for SQL Server, enabling Always Encrypted at the statement/query-level is not yet supported in the PHP drivers.

Column Encryption Key Caching

To reduce the number of calls to a column master key store to decrypt column encryption keys (CEK), the driver caches the plaintext CEKs in memory. After receiving the encrypted CEK (ECEK) from database metadata, the ODBC driver first tries to find the plaintext CEK corresponding to the encrypted key value in the cache. The driver calls the key store containing the CMK only if it cannot find the corresponding plaintext CEK in the cache.

Note: In the ODBC Driver for SQL Server, the entries in the cache are evicted after a two-hour timeout. This behavior means that for a given ECEK, the driver contacts the key store only once during the lifetime of the application or every two hours, whichever is less.

Working with Column Master Key Stores

To encrypt or decrypt data, the driver needs to obtain a CEK that is configured for the target column. CEKs are stored in encrypted form (ECEKs) in the database metadata. Each CEK has a corresponding CMK that was used to encrypt it. The database metadata does not store the CMK itself; it only contains the name of the key store and information that the key store can use to locate the CMK.

To obtain the plaintext value of an ECEK, the driver first obtains the metadata about both the CEK and its corresponding CMK, and then it uses this information to contact the key store containing the CMK and requests it to decrypt the ECEK. The driver communicates with a key store using a key store provider.

Drivers Data Encryption

For Microsoft Driver 5.3.0 for PHP for SQL Server, only Windows Certificate Store Provider and Azure Key Vault are supported. The other Keystore Provider supported by the ODBC Driver (Custom Keystore Provider) is not yet supported.

Using the Windows Certificate Store Provider

The ODBC Driver for SQL Server on Windows includes a built-in column master key store provider for the Windows Certificate Store, named MSSQL_CERTIFICATE_STORE. (This provider is not available on macOS or Linux.) With this provider, the CMK is stored locally on the client machine and no additional configuration by the application is necessary to use it with the driver. However, the application must have access to the certificate and its private key in the store. For more information, see Create and Store Column Master Keys (Always Encrypted).

Using Azure Key Vault

Azure Key Vault offers a way to store encryption keys, passwords, and other secrets using Azure and can be used to store keys for Always Encrypted. The ODBC Driver for SQL Server (version 17 and higher) includes a built-in master key store provider for Azure Key Vault. The following connection options handle Azure Key Vault configuration: KeyStoreAuthentication, KeyStorePrincipalId, and KeyStoreSecret.

  • KeyStoreAuthentication can take one of two possible string values: KeyVaultPassword and KeyVaultClientSecret. These values control what kind of authentication credentials are used with the other two keywords.
  • KeyStorePrincipalId takes a string representing an identifier for the account seeking to access the Azure Key Vault.
    • If KeyStoreAuthentication is set to KeyVaultPassword, then KeyStorePrincipalId must be the name of an Azure ActiveDirectory user.
    • If KeyStoreAuthentication is set to KeyVaultClientSecret, then KeyStorePrincipalId must be an application client ID.
  • KeyStoreSecret takes a string representing a credential secret.
    • If KeyStoreAuthentication is set to KeyVaultPassword, then KeyStoreSecret must be the user's password.
    • If KeyStoreAuthentication is set to KeyVaultClientSecret, then KeyStoreSecret must be the application secret associated with the application client ID.

All three options must be present in the connection string to use Azure Key Vault. In addition, ColumnEncryption must be set to Enabled. If ColumnEncryption is set to Disabled but the Azure Key Vault options are present, the script will proceed without errors but no encryption will be performed.

The following examples show how to connect to SQL Server using Azure Key Vault.

Drivers Data Encryption Definition

SQLSRV:

Data Encryption Policy

Using an Azure Active Directory account:

Using an Azure application client ID and secret:

Drivers Data Encryption Definition

PDO_SQLSRV:Using an Azure Active Directory account:

Using an Azure application client ID and secret:

Limitations of the PHP drivers when using Always Encrypted

Data Encryption Wep

SQLSRV and PDO_SQLSRV:

  • Linux/macOS do not support Windows Certificate Store Provider
  • Forcing parameter encryption
  • Enabling Always Encrypted at the statement level
  • When using the Always Encrypted feature and non-UTF8 locales on Linux and macOS (such as 'en_US.ISO-8859-1'), inserting null data or an empty string into an encrypted char(n) column may not work unless Code Page 1252 has been installed on your system

SQLSRV only:

  • Using sqlsrv_query for binding parameter without specifying the SQL type
  • Using sqlsrv_prepare for binding parameters in a batch of SQL statements

PDO_SQLSRV only:

  • PDO::SQLSRV_ATTR_DIRECT_QUERY statement attribute specified in a parameterized query
  • PDO::ATTR_EMULATE_PREPARE statement attribute specified in a parameterized query
  • binding parameters in a batch of SQL statements

The PHP drivers also inherit the limitations imposed by the ODBC Driver for SQL Server and the database. See Limitations of the ODBC driver when using Always Encrypted and Always Encrypted Feature Details.

See Also