Tips and Best Practices
| # | Description |
|---|---|
| 1 | TLSv1.2 must be used for communication with CipherTrust Manager and database. |
| 2 | It is recommended not to use global keys for encryption/decryption. |
| 3 | User specified passwords, such as Client_Cert_Passphrase and Key_Store_Password should not be used as cryptographic keys. |
| 4 | It is recommended to obfuscate any password before using it. |
| 5 | If your client is working with many versions of a key, do not set the Connection_Timeout parameter too low. Otherwise, the client connection may close before the operation is complete. |
| 6 | If you specify some value other than the default for the Cipher_Spec parameter, you must use RSA for key exchange. |
| 7 | Identity columns can't be encrypted. |
| 8 | Once you have migrated a table, it is not recommended to do any of the following: — Drop or rename the encrypted table — Drop or rename the encrypted column — Change the data type or extend the length of an encrypted column — Modify the data type of the encrypted column — Rename the IV column — Rename a view — Rename a trigger |
| 9 | Any changes in the properties file do not take effect automatically. If you modify any of the values in the properties file after installing the CDP for SQL Server, you must restart the database server. |
| 10 | The Protocol specifies the protocol used to communicate between the client and the CipherTrust Manager. Possible options are: tcp and ssl. The ssl option uses TLSv1.2. To establish SSL connections between your NAE clients and servers TLSv1.2 should be enabled on your servers. |
| 11 | Replacement values are not returned if a query yields a NULL value. When a query results in a NULL value, no cryptographic process is required, so CDP does not interact with the CipherTrust Manager and the replacement values feature is not activated. |
| 12 | The user authorization comes into effect after the encryption is complete. Even if the error replacement value is set, all users can see the actual data while encryption is in progress. Users not permitted to view sensitive information should not be granted permission to the table that has sensitive data before encryption is complete. |
| 13 | The data encryption process adds columns to the migrated tables. SQL Server limits actual row length to 8060 bytes. If the data encryption process results in a row of size greater than 8060 bytes, SQL Server prevents the encryption. If your table includes columns of NVARCHAR or VARBINARY data type, the actual row length may differ from the sum of the column definitions, since those data types have variable length. SQL Server’s row limitation applies to the actual data length, not the column definitions. |
| 14 | Thales strongly discourages you from manually modifying any of the metadata tables associated with CDP. Doing so could result in undesired behavior. Likewise, you should take great caution when modifying the base table. |
| 15 | Once you save the column properties for a particular column, it is important that you do not significantly modify that column or table (e.g. rename the column, drop, and recreate the table, etc.) before doing a data encryption. You might encounter problems if you do. |
| 16 | Enable Active Scripting for proper functioning of the UI. For example, if Active Scripting is not enabled in your browser, keys may not be visible or the Key drop-down list appears empty on the Column Properties section. |
| 17 | As a security precaution, Thales recommends that you do not use global keys for database encryption. |
| 18 | Before unencrypting a table, ensure that the user mapping is correct. The database user should be mapped to the NAE user that is the owner of the key(s) used to encrypt column(s). |
| 19 | On columns having default values associated with them, when an INSERT/UPDATE operation is performed through trigger, and no value (or a NULL value) is passed in, the trigger inserts/updates either NULL or the default value, depending on the settings done on the Create Views and Triggers. |
| 20 | While key rotation is in progress, if you want to perform encrypt/decrypt operation on a table, then you must have the encrypt privileges on both the old and new keys and the decrypt privileges on the old key. |
| 21 | The mapping priority takes precedence in the following order: individual > database role > AD group > Default Mapping. |
| 22 | Multiple versions of a key can be Active at an instant of time. However, the latest Active version is used as the default version if you do not specify a particular version. You can encrypt only using the active versions of a key. |
| 23 | Your client and its connection to CipherTrust Manager must be secure. Downloading keys over this connection and storing them on your client exposes them to possible attack. When using the symmetric key caching feature, be sure that you are using a secure method of download and that your client’s operating system is secure. |
| 24 | Partitioned tables cannot be encrypted directly. The table should be encrypted first and then partitioning can be added to it. |
| 25 | CDP uses instead of trigger with a user defined function so the SCOPE_IDENTITY() function, as per it's definition, will not work with CDP. As a workaround @@identity can be used. |
| 26 | It is recommended to use local mode for faster data encryption. |
