Skip to main content

Encryption at rest

This page walks through the configuration of the database for enabling encryption of message content at rest.

Encryption-at-rest of message content relies upon SQL Server Always Encrypted. Microsoft SQL Always Encrypted is a technology that allows for the encryption of data-at-rest transparently to an application. It does this by leveraging a database driver on the client side that performs the encryption and decryption between the client application and the SQL Server.

The database driver reads the encryption metadata from the database that tells it where to fetch the encryption key for each encrypted column. Then the driver fetches the key and encrypts/decrypts the column data using the key.

This ensures that the data in the database is encrypted and is only in an unencrypted state in memory at the MCE server.

Supported Scenarios

MCE currently supports the encryption of the following:

  • All message content
  • All message metadata

Encrypting group and user information is not supported.

Enabling Always Encrypted for MCE

SQL Server configuration

MindLink provides a PowerShell script to enable the encryption of sensitive data. These scripts provide the most basic configuration, where they are run by an account that is both a Security and Database administrator. The script at enable-encryption.ps1 exposes a function that must be run after the database has been migrated to the latest version.

Import-Module .\enable-encryption.ps1
Enable-MceEncryption -connectionString "Server=sql.domain.local;Database=Mce;Integrated Security=True"

The PowerShell scripts can be adapted to support role seperation by following the steps outlined at Microsoft Docs - Configuring Always Encrypted with Role Seperation.

When communicating with a database that has an encrypted column, the application has to opt-in to the database driver encryption mechanics.

  1. Add Column Encryption Setting=enabled to the MCE database connection string
  2. Make sure that all the encryption keys are available to the user running the service on all MCE application servers