Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: enable column encryption at the TDS level #265

Open
simenfd opened this issue May 24, 2017 · 6 comments · May be fixed by #637
Open

feature: enable column encryption at the TDS level #265

simenfd opened this issue May 24, 2017 · 6 comments · May be fixed by #637
Labels
enhancement

Comments

@simenfd
Copy link

simenfd commented May 24, 2017

This might not be an issue, as much as it is a missing feature:

It seems like sql server has a feature called "always encrypted" which can be enabled by writing "Column Encryption Setting=enabled;" in the connection string. The idea is that the driver pulls some keys from a certificate and automatically decrypts the encrypted columns. Currently, this is not working with this driver.
@kardianos
Copy link
Collaborator

@simenfd Can you link to official docs in the TDS documentation?

@dimdin
Copy link
Collaborator

dimdin commented May 24, 2017

They use AES-256 with CBC and HMAC with SHA-512 for column encryption.
The latest version of TDS spec is https://msdn.microsoft.com/en-us/library/dd304523.aspx
FEATUREEXTACK message is used for column encryption feature activation and version, and COLMETADATA is extended with keys.

@kardianos kardianos changed the title "Column Encryption Setting=enabled" not working feature: enable column encryption at the TDS level May 24, 2017
@yang-jiayi
Copy link

yang-jiayi commented Jun 21, 2018
edited

parameter "Column Encryption Setting=enabled" is woking?

package main

import (
"context"
"database/sql"
"fmt"
"log"

_ "github.com/denisenkom/go-mssqldb"

)

var db *sql.DB

var server = ""
var port = 1433
var user = "sa"
var password = "<>"
var database = ""

// Always Encrypted
var alwaysencrypted = "enabled"

func main() {
connString := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%d;database=%s;Column Encryption Setting=%s;",
server, user, password, port, database, alwaysencrypted)

//fmt.Printf(connString)

var err error

db, err = sql.Open("sqlserver", connString)
if err != nil {
	log.Fatal("Error creating connection pool:", err.Error())
}
fmt.Printf("Connected!\n")

count, err := ReadaeTest1()
fmt.Printf("Read %d rows successfully.\n", count)

}

func ReadaeTest1() (int, error) {
ctx := context.Background()

err := db.PingContext(ctx)
if err != nil {
	log.Fatal("Error pinging database: " + err.Error())
}

tsql := fmt.Sprintf("SELECT colA, colB, colC FROM aeTestDB.dbo.aeTest1;")

// QLクエリの実行
rows, err := db.QueryContext(ctx, tsql)
if err != nil {
	log.Fatal("Error reading rows: " + err.Error())
	return -1, err
}

defer rows.Close()

var count int = 0

// リザルトループ
for rows.Next() {
	var colA int
	var colB, colC string

	err := rows.Scan(&colA, &colB, &colC)
	if err != nil {
		log.Fatal("Error reading rows: " + err.Error())
		return -1, err
	}

	fmt.Printf("colA: %d, colB: %s, colC: %s\n", colA, colB, colC)
	count++
}

return count, nil

}

@rcscoggin
Copy link

Any update on adding support for Column Level Encryption to tds.go? thanks!

odeke-em pushed a commit to orijtech/go-mssqldb that referenced this issue Jul 26, 2020
FAQ: add required extension
d837bcc 
Github-fix: denisenkom#265
Signed-off-by: Nicolas Sebrecht <nicolas.sebrecht@1001pneus.fr>
odeke-em pushed a commit to orijtech/go-mssqldb that referenced this issue Jul 26, 2020
@erikdubbelboer @dhui
Fix in the URL parser with go 1.12.8 and github.com/go-sql-driver/mys…
eb7d0dd 
…ql (denisenkom#265)

* Fix in the URL parser with go 1.12.8 and github.com/go-sql-driver/mysql

Change schemeFromURL to just split the url by :// to find the scheme.
It's not required to parse the whole URL. MySQL DSNs aren't valid URLs.

Fixes denisenkom#264

* The mysql driver itself also used net/url.Parse

* Also fix TestPasswordUnencodedReservedURLChars

* Keep backwards compatibility with url encoded username and passwords

* Fix suggestions

* Reuse old function names
@denysvitali denysvitali linked a pull request Feb 9, 2021 that will close this issue
Open
@denysvitali
Copy link

Hello everyone, this feature is now implemented (check the related PR). At the moment only support for decryption is available though.

cc/ @rcscoggin , @simenfd

@shueybubbles
Copy link
Contributor

I've started a more extensive AE implementation in the Microsoft fork and welcome feedback. We're starting with decryption using local certs or Azure Key Vault then expanding to encryption. microsoft#116

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add Always Encrypted support swisscom/go-mssqldb
7 participants
@kardianos @shueybubbles @denysvitali @rcscoggin @dimdin @simenfd @yang-jiayi