Module encryption

Expand description

Always Encrypted infrastructure for SQL Server.

This module provides the foundational types and interfaces for implementing SQL Server’s Always Encrypted feature, which provides client-side encryption for sensitive database columns.

§Architecture Overview

Always Encrypted uses a two-tier key hierarchy:

┌─────────────────────────────────────────────────────────────────┐
│                        Key Hierarchy                            │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│   Column Master Key (CMK)                                       │
│   ├── Stored externally (KeyVault, CertStore, HSM)              │
│   ├── Never sent to SQL Server                                  │
│   └── Used to encrypt/decrypt CEKs                              │
│            │                                                    │
│            ▼                                                    │
│   Column Encryption Key (CEK)                                   │
│   ├── Stored in database (encrypted by CMK)                     │
│   ├── Decrypted on client side                                  │
│   └── Used for actual data encryption (AES-256)                 │
│            │                                                    │
│            ▼                                                    │
│   Encrypted Column Data                                         │
│   ├── Deterministic: Same input → same ciphertext               │
│   └── Randomized: Same input → different ciphertext             │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

§Security Model

Client-only decryption: The SQL Server never sees plaintext data
DBA protection: Even database administrators cannot read encrypted data
Key separation: CMK stays in secure key store, never transmitted

§Usage

use mssql_auth::encryption::{ColumnEncryptionConfig, KeyStoreProvider};

// Create encryption configuration
let config = ColumnEncryptionConfig::new()
    .with_key_store(azure_key_vault_provider)
    .build();

// Use with connection
let client = Client::connect(config.with_encryption(encryption_config)).await?;

§Implementation Status

This module provides the infrastructure and interfaces for Always Encrypted. Full implementation requires:

Key store provider implementations (Azure KeyVault, Windows CertStore)
AES-256 encryption/decryption routines
RSA-OAEP key unwrapping
Metadata fetching from sys.columns
Parameter encryption hooks
Result decryption hooks

Tracked as CRYPTO-001 in the project roadmap.

Structs§

CekMetadata: Metadata about a Column Encryption Key (CEK).
ColumnEncryptionConfig: Configuration for Always Encrypted.
ColumnEncryptionInfo: Encryption information for a specific database column.
EncryptedValue: Represents an encrypted value with its metadata.

Enums§

EncryptionError: Error types for Always Encrypted operations.
EncryptionType: Encryption type for Always Encrypted columns.

Traits§

KeyStoreProvider: Trait for Column Master Key (CMK) providers.

Module encryption

Module encryption Copy item path

§Architecture Overview

§Security Model

§Usage

§Implementation Status

Structs§

Enums§

Traits§

Module encryption