stackoom
  简体   繁体   中英

Encrypt/Decrypt a string via web API code and store encrypted value in SQL database?

 原文  2022-05-11 21:54:04       c#/ .net/ encryption/ cryptography

Question

I need to be HIPAA compliant and those requirements indicate AES256 encryption will be sufficient for storing of sensitive data (first name, last name, SSN, ID, DOB, Phone, VIN, etc.).

I'm leaning towards encryption thru application code rather than using MS SQL or MySQL built in support for encrypted fields. Avoid the SQL signed certificates process, setting MASTER KEY, etc.

I researched AES256 encryption using .NET 6 and most warned to not use AES - CBC, ECB, EFB or CTS ... in fact even Microsoft's own documentation suggest NOT using CBC but also provide an Aes class code sample that makes no practical sense found here ? Encrypt then Decrypt within the same execution scope ... that would almost never happen in the real world where encrypted data is saved then retrieved and decrypted at some later date.

There is obviously going to be a performance hit when searching and/or reporting on (wild cards) any data that is encrypted, I'll have to iterate thru it before returning the data to requesting source (I have a threaded multi-core strategy here).

What's the "current" best practices method for encrypting/decrypting field level data in a SQL database using application code? Will I need to allocate a field to hold a random value for each field I want to encrypt in addition to global application key?

If AES .NET 6 crypto libraries are to be avoided, what are my other options?

1 answers

solution1
 0  2022-05-11 22:08:52

Did you check this question? Entity Framework with Sql Server Column Level Encryption I think this might be useful if you working with EF Core

You can use attributes for this.

1 - Create an attribute : 

[AttributeUsage(AttributeTargets.All)]
public class EncryptData: System.Attribute
{
   public EncryptData()
   {
   }
}

2 - Use it wherever you want : 

public class Person 
{
    [EncryptData]
    public string Name {get;set;}
}

3 - Use it on insert : 

public void Insert(T entity)
{
 // your code

EncryptFields(entity,_context);
 dbContext.SaveChanges();
}

` 

public virtual T EncryptFields(T entity, MyDbContext dbContext)
    {
        MetadataTypeAttribute[] metadataTypes = entity.GetType().GetCustomAttributes(true).OfType<MetadataTypeAttribute>().ToArray();
        foreach (MetadataTypeAttribute metadata in metadataTypes)
        {
            PropertyInfo[] properties = metadata.MetadataClassType.GetProperties();              
            foreach (PropertyInfo pi in properties)
            {             
                if (Attribute.IsDefined(pi, typeof(DB.PartialEntites.EncryptData)))
                {
                    int id = ((EncryptData)pi.GetCustomAttributes(true)[0]).id;
                    
dbContext.Entry(entity).Property(pi.Name).CurrentValue =  // YOUR ENCRYPTION ALGORITHM;
                }
            }
        }
        return entity;
    }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Encrypt \ Decrypt an Integer where the encrypted value is an Integer Decrypt the encrypted value from database Decrypt string in C# that was encrypted with PHP openssl_encrypt How to decrypt a string in C# which is encrypted via PowerShell decrypt an encrypted value? Encrypt a web api request body content and decrypt on server How to decrypt the encrypted value in code behind using cryptoJs in MVC encrypt and decrypt a database with c# Simple Encrypt/Decrypt for Database storage Encrypt in SQL and Decrypt in C#
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM