PKCS#11

DbDefence 7 adds support for PKCS#11 in SQL Server. PKCS#11 modules provide support for encryption hardware, encryption algorithms, secure storage and other security related functions. PKCS#11 modules may serve as a driver for a real hardware or provide only an encryption algorithm.

Benefits from using PKCS#11 modules

  • Security. Hardware modules and key management provide better security.
  • Encryption control. You can write own module and control encryption and key storage.
  • Certification. By using certified PKCS#11 modules and certified hardware you can easier pass various security regulations and compliances.
  • No vendor-lock. You are not "vendor-locked" with the encryption algorithm. You may switch from different encryption providers. PKCS#11 specification is very well documented.
  • Price. Small companies may use inexpensive hardware for trusted encryption. Large companies may extend existing security hardware infrastructure and get SQL Server encryption functionality at lower cost.

Technical information

DbDefence implements data-at-rest encryption by using standardized AES algorithm. If the module is used, the encryption entirely relies on the module. DbDefence sends every chunk of the database data to the module's encryption/decryption routine. PKCS#11 modules may represent existing physical hardware attached to the computer or may virtualized it. However, not all devices are suitable for database encryption. Device (physical or virtual) must support AES_CTR mechanism. You may find hardware that provides most common AES_CBC or AES_ECB, but those algorithms can't be used. To check if hardware supports AES_CTR you must check vendor documentation.

Encryptoin functionality using PKCS#11 module were added to Encryptor GUI, command line tool and API.