PKCS#11

DbDefence 7 adds support for PKCS#11 in SQL Server. PKCS#11 modules provide support for encryption hardware, encryption algorithms, secure storage and other security related functions. PKCS#11 modules may serve as a driver for real hardware or provide only an encryption algorithm.

The benefits of using PKCS#11 modules

  • Security: Hardware modules and key management provide better security.
  • Encryption control: You can write the own module and control encryption and key storage.
  • Certification: By using certified PKCS#11 modules and certified hardware, you can more easily comply with various security regulations and compliances.
  • No vendor-lock: You are not "vendor-locked" with the encryption algorithm. You may switch from different encryption providers. PKCS#11 specification is very well documented.
  • Price: Small companies may use inexpensive hardware for trusted encryption. Large companies may extend existing security hardware infrastructure and get SQL Server encryption functionality at a lower cost.

Technical information

DbDefence implements data-at-rest encryption by using standardized a AES algorithm. If the module is used, the encryption entirely relies on the module. DbDefence sends every chunk of the database data to the module's encryption/decryption routine. PKCS#11 modules may represent existing physical hardware attached to the computer or may virtualized it. However, not all devices are suitable for database encryption. Devices (physical or virtual) must support the AES_CTR mechanism. You may find hardware that provides the most common AES_CBC or AES_ECB, but those algorithms can't be used. To check whether hardware supports AES_CTR, you must check the vendor's documentation.

Encryption functionality using PKCS#11 module has been added to Encryptor GUI, command line tool and API.