Changes in FIPS 140-2 implementation

The following is important only to customers who used previos versions (7.2 and older) of DbDefence in FIPS 140-2 validated mode.

Problem: Validation for previously used implementation with certificate #819 has been expired. It does not mean that there was a security flaw. It just was not prolonged by the vendor.

Solution: Now the new version uses another module that complies with latest security requirements. However to comply with those requirements we had to break compatibility with older implementation.

Breaking changes:

Removed validation label in dbd_listdb

New DbDefence will be able use databases encrypted by old version in FIPS 140-2 mode, but it will display “No” in “FIPS 140-2 Encryption Mode” field with “exec master..dbd_listdb”. It is possible to use/decrypt/backup/restore the database encrypted in old FIPS 140-2 mode.

New FIPS 140-2 module is NOT AVAILABLE with 32-bit SQL Server.

New FIPS 140-2 module has certain technical limitations on working in 32-bit processes. This limitation is common to many (if not all) implementations. In spite of the fact that the Security Policy offers the solution, it is not technically reliable solution for SQL Server process.

Technical Info: the reason is that 32-bit DLL has to be loaded in certain place of process’s memory. SQL Server is a complex and large application. With very high probability the place may already be used by other code.

New FIPS 140-2 mode is NOT AVAILABLE with 32-bit API DLL.

New FIPS 140-2 module has certain technical limitations on working in 32-bit processes. In spite of the fact that Security Policy offers the solution, it is not reliable solution for 32-bit DLLs.

The limitation is applied only to API DLL, not to command line tool (dbencrypt.exe) or GUI. If you use dbencrypt.dll in FIPS 140-2 mode (option -V) in 32-bit process consider using dbencrypt.exe If this switch is technically difficult please contact support@activecrypt.com for possible solutions.

Notes about old backups.

It is still possible to restore old backup to the database encrypted by older DbDefence. But it is not possible to restore the database encrypted by old FIPS 140-2 module into the database encrypted by the new module.

Recommendations

What to do to comply with security requirements?

To comply with security requirements and use actual FIPS 140-2 validated module we recommend you to decrypt previously encrypted database and then encrypt again using new FIPS 140-2 mode. After that you may want to make a backup.

How to find if DbDefence supports FIPS 140-2 mode on SQL Server?

Execute SQL command: exec master..dbd_status The command should display “Available” in FIPS 140-2 field.

How to make sure that implementation is FIPS 140-2 validated implementation.

There is no way to check it. You can only rely on our statement that we’ve built it properly accordingly to User Guide and Security Policy. Alternatively, your security officer may compile and install the module by himself. Please contact support@activecrypt.com for more information.