The Microsoft Data Encryption SDK provides encryption support to applications.
MIT License
The Microsoft Data Encryption SDK provides encryption support to applications. It allows developers to implement column- or field-level encryption for data stored in various data stores, including Azure data services.
The SDK consists of the following modules:
The Cryptography module provides APIs for objects like encryption keys, serializers, key store provider interfaces, and associated caches.
The module implements cryptographic operations using a two-level key hierarchy composed of:
The Cryptography module uses cryptographic algorithms that are fully compatible with Always Encrypted in Azure SQL. The data encryption algorithm is AEAD_AES_256_CBC_HMAC_SHA_256 that is derived from the IETF specification draft at https://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05. The key encryption algorithm is RSA with OEAP padding. For more information, see Always Encrypted cryptography.
This module supports encrypting and decrypting columns in parquet files. It implements storing encryption metadata in the JSON format within the parquet file metadata footer.
This module implements the key store provider interface using Azure Key Vault. It allows you to use KEKs stored in Azure Key Vault.
The below diagram shows an example of an Azure application and illustrates the benefits of the Microsoft Data Encryption SDK.
The sample application is a data analytics pipeline that loads data stored in parquet files on premises to Azure Data Lake. Subsequently, Azure Data Factory jobs transform and transport the data to other Azure data services, including Synapse SQL, CosmosDB and Azure SQL. Then, custom applications hosted in Azure VMs or Azure App Services, and Spark jobs in Synapse Analytics access and process the data.
In such applications, the SDK helps ensure:
Sensitive data gets encrypted at ingestion to Azure.
Sensitive data stays encrypted when it flows to other Azure data services.
Control over which Azure compute services and which users can decrypt and access the data in plaintext.
Interoperability with Always Encrypted in Azure SQL
The SDK currently supports the following platforms:
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
These samples and templates are all licensed under the MIT license. See the LICENSE.txt file in the root.