SQL2-00-019500 - SQL Server must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

Information

Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.

Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.

Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html.

Solution

Implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

Ensure the database is backed up.

Run the following SQL to undo encryption and drop the existing database encryption key:
USE master;
GO
ALTER DATABASE <database name> SET ENCRYPTION OFF;
GO
USE <database name> ;
GO
DROP DATABASE ENCRYPTION KEY;
GO

Run the following SQL to drop a server certificate from the SQL Server instance:
USE master;
GO
DROP CERTIFICATE <certificate name>;
GO

If applicable, run the following SQL to drop a symmetric key:
USE <database name>;
GO
DROP SYMMETRIC KEY <key name>;
GO

Configure encryption to use approved encryption algorithms. Existing keys are not reconfigurable to use different algorithms.

Run SQL along the lines of the following to import an externally-created server certificate (see Microsoft documentation for options and syntax details):
USE master;
GO
CREATE CERTIFICATE <certificate name>
FROM FILE = '<path\file_name>'
...
;
GO

Run the following SQL to create a database encryption key and encrypt the database:
USE <database name>;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE <certificate name>;
GO
USE master;
GO
ALTER DATABASE <database name> SET ENCRYPTION ON;
GO

Note: The acceptable algorithms are: 'AES 128', 'AES 192', 'AES 256' and 'Triple DES'.

If required, run the following SQL to create a symmetric key and assign an existing certificate:
USE <database name>;
GO
CREATE SYMMETRIC KEY <key name>
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE <certificate name>;

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2012_V1R20_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13, CAT|II, CCI|CCI-002450, Rule-ID|SV-53940r5_rule, STIG-ID|SQL2-00-019500, Vuln-ID|V-41412

Plugin: MS_SQLDB

Control ID: 71d9ac06efd5d948539f36c72c7a2bcbeb15657e5020e74ba08f900063428813