Module encryption

Expand description

Always Encrypted client-side encryption and decryption.

This module provides the infrastructure for SQL Server’s Always Encrypted feature, which enables client-side encryption of sensitive database columns.

§Architecture

Always Encrypted uses a two-tier key hierarchy:

Column Master Key (CMK) - External (KeyVault, CertStore, HSM)
        │
        ▼ RSA-OAEP unwrap
Column Encryption Key (CEK) - Stored encrypted in database
        │
        ▼ AEAD_AES_256_CBC_HMAC_SHA256
Encrypted Column Data

§Usage

use mssql_client::{Config, EncryptionConfig};
use mssql_auth::InMemoryKeyStore;

// Create encryption configuration
let mut key_store = InMemoryKeyStore::new();
key_store.add_key("MyKey", &pem)?;

let encryption_config = EncryptionConfig::new()
    .with_provider(key_store)
    .build();

// Connect with encryption enabled
let config = Config::from_connection_string(conn_str)?
    .with_encryption(encryption_config);

let client = Client::connect(config).await?;

§Security Model

Client-only decryption: SQL Server never sees plaintext data
DBA protection: Even database administrators cannot read encrypted data
Key separation: CMK stays in secure key store, never transmitted

Structs§

EncryptionConfig: Configuration for Always Encrypted feature.
ParameterCryptoInfo: Encryption metadata for a single parameter.
ParameterEncryptionInfo: Parameter encryption metadata for a query.
ResultSetEncryptionInfo: Column encryption metadata for a result set.

Module encryption

Module encryption Copy item path

§Architecture

§Usage

§Security Model

Structs§

Module encryption