Securing a database

Greetings,

Developing an angular/electron app to be used on an airgapped laptop with sql backend. Was thinking of using sqlite3 but I am more familiar with sql server.

Other than user name and password on laptop, bitlocker on the hard disk, we need to implement something that will protect both the data files (read up TDE, I like it) but also the data itself. Now since this is an airgapped laptop we are thinking of using a sql user (good or bad?)

What would you recommend. I have read up DATABASE ENCRYPTION KEY, COLUMN ENCRYPTION KEY. I have a decent grasp on all of these encryption types but trying to sort out which would be the best one to implement.

100% paranoia is the requirement :slight_smile:

Thanks

That could be a problem!

As well as TDE you might also want to look at third party products like:
https://www.database-encryption.com/

I'd suggest reconsidering SQLite. It's really robust and not that hard to use, there's tons of libraries and bindings for it in every language. It's probably already incorporated into Electron. And unless you're using Express Edition, you need to use a paid license version of SQL Server.

I'm not up-to-date on the Electron and Angular spaces, but since they are web-based you have some additional surface area that could be compromised. Since this is going to be isolated I don't see how a web programming platform benefits, except for ease of programming. If you're serious about "100% paranoia" then I think you'd be better off with a .Net language or C/C++, something that doesn't already include networking.

If you're air-gapping it and using SQL Server, suggest you disable all the network libraries except for Shared Memory. You'd sacrifice the Dedicated Admin connection though, which requires TCP/IP, but you could probably work around any situation that would require it.

Additionally, you need to figure out something for backing up the database(s), and if you're using TDE or Always Encrypted you also need to back up all the keys and keep them elsewhere. Backing up only on the same laptop is as bad as not backing up at all, so you'd have to have some way to offload the data/backups to other protected storage. Simplest suggestion is a USB drive with enough capacity, and keeping it locked up in a safe.

2 Likes

Thanks @robert_volk the sqlite option makes much more sense. Sql seems like overkill for such an app, even express. The app is up and running woth sql server express. And now I am running it using sqlite.

@robert_volk all this went well until we hit a wall with sqlite3 encryption in windows. I think for now we will go with SQL Express.

1 Like